Labeling the incident as a “series of avoidable data security flaws” which invited hackers to obtain the sensitive information, the Information Commissioner’s Office (ICO) imposed a fine of £385,000 ($490,759.50) on the enterprise. On the other hand, the Dutch Data Protection Authority penalized the firm with a fine of €600,000 ($678,780.00).
The breach which affected 174,000 people in the Netherlands and 2.7 million people in the UK in 2016 was reportedly kept a secret until 2017.
Instead of immediately informing the regulators about the attack and the customers about their data being compromised, reports say that Uber paid the attackers to destroy the hacked information.
ICO Imposed Fines on Uber
Steve Eckersley, ICO Director of Investigations corroborated the reported account in a statement, he said, “This was not only a serious failure of data security on Uber’s part but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”
“Paying the attackers and then keeping quiet about it afterward was not, in our view, an appropriate response to the cyber attack.”
Referenced from an Uber Spokesperson’s response, “We’re pleased to close this chapter on the data incident from 2016. As we shared with European authorities during their investigations, we’ve made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since.
“We’ve also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward. Earlier this year we hired our first chief privacy officer, data protection officer, and a new chief trust and security officer. We learn from our mistakes and continue our commitment to earn the trust of our users every day.”