Last September, Uber agreed to pay $148 million dollars to settle claims related to a 2016 data breach that exposed the personal data of more than 25 million American users. This November, Uber was fined an additional $1.17 million by the UK and Netherlands for the same data breach that also compromised the personal data of millions of Europeans.
Uber got off lightly because the breach happened before the promulgation of the European Union’s new GDPR (General Data Protection Regulation) in May this year. Under the GPDR, similar data breaches could result in fines of up to 4 percent of the offending firm’s global revenue.
Elizabeth Schulze filed this report in CNBC:
The 2016 cyberattack allowed hackers to access the personal details, including full names, email addresses and phone numbers, of 2.7 million Uber customers in the U.K. and 174,000 in the Netherlands, authorities said.
After hiding the incident for more than a year, Uber admitted last November that hackers stole data from 57 million users and drivers worldwide. The company also paid hackers $100,000 to delete the data and conceal the breach.
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” ICO Director of Investigations Steve Eckersley said. “At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”
The U.K.’s ICO said the cyberattack represented a “serious breach” of the country’s Data Protection Act of 1998 by exposing customers and drivers to increased risk of fraud. The Dutch regulator said it was fining Uber because it did not report the breach within the country’s mandated 72-hour window.
