The decision arrives almost a year to the day since the ICO opened its investigation into Uber, with the watchdog's director of investigations, Steve Eckersley, noting that it was "not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen."
Last November, Uber confessed that it hid an extortion-oriented cyberattack which exposed the personal info for roughly 57 million customers and drivers in October 2016, including names, email addresses and phone numbers. It later revealed that roughly 2.7 million of those affected users were from the UK. Rather than reporting the attack, it paid hackers $100,000 to delete the info and keep quiet for more than a year -- although its then-new CEO Dara Khosrowshahi knew two months before news went public.
Uber said at the time that it found "no evidence of fraud or misuse tied to the incident." It also fired its chief security officer Joe Sullivan and one of his deputies, senior lawyer Craig Clark, for apparently covering up the truth.
The ICO today said "a series of avoidable data security flaws allowed the personal details" of UK Uber users to be "accessed and downloaded by attackers from a cloud-based storage system." Alongside customers, it said that the records of almost 82,000 UK-based Uber drivers –- which included details of journeys made and how much they were paid –- were also taken during the incident.
The watchdog's investigation found that the attackers used "credential stuffing" -- a method that involves compromised username and password pairs being inserted into websites until they are matched to an existing account -- to gain access to Uber's data storage. It concluded that the incident was a serious breach of principle seven of the Data Protection Act 1998, and had "the potential to expose the customers and drivers affected to increased risk of fraud."
But it could've been much worse for the ride-sharing company. The breach took place before the introduction of the EU's General Data Protection Regulation (GDPR) earlier this year, which allows the ICO to hand down heftier fines of up to £17 million or 4 percent of a company's turnover. Aside from the UK penalty, Uber has also been fined €600,000 ($679,000) by the Dutch data protection authority. It said that 174,000 Dutch citizens were impacted by the breach.