Data breach exposed customers and drivers personal data

Nov 27, 2018 20:48 GMT  ·  By

Uber was fined over $1,000,000 in total by UK's Information Commissioner’s Office (ICO) and the Dutch Data Protection Authority (Dutch DPA) for failing to protect customers and for violating the Dutch data breach regulations.

"The Information Commissioner’s Office (ICO) has fined ride sharing company Uber £385,000 for failing to protect customers’ personal information during a cyber attack," said the ICO in a press release.

Moreover, "The Dutch Data Protection Authority (Dutch DPA) imposes a fine of €600.000 upon Uber B.V. and Uber Technologies, Inc (UTI) for violating the Dutch data breach regulation. In 2016 a data breach occurred at the Uber concern in the form of unauthorised access to personal data of customers and drivers."

The 2016 Uber data breach affected 57 million Uber users worldwide and around 174,000 Dutch ones, while according to the ICO, 2.7 million UK customers had their data breached in 2016 and roughly 82,000 records of UK drivers were also stolen by the attackers.

During the data theft incident, Uber customers' full names, email addresses, and phone numbers, as well as drivers payment amounts and journey details were stolen from "a cloud-based storage system operated by Uber’s US parent company."

Uber paid the attackers $100,000 to destroy the stolen data

The ICO found while investigating the 2016 Uber data breach that the attackers were able to compromise the company's computing systems using credential stuffing, a type of attack which uses username/password pairs to force a login event.

After discovering the attack, Uber did not report the security incident to data protection authorities or their customers, instead choosing to pay the bad actors behind it $100,000 to destroy the data they stole.

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen," ICO Director of Investigations Steve Eckersley said. "At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

The 2016 Uber data breach was eventually disclosed when an announcement made by Uber was reported on by the media in November 2017.