Latest in Gear

Image credit: Photothek via Getty Images

Uber fined £385,000 in the UK for 2016 cyber-attack

The UK's privacy watchdog said it exposed customers to increased risk of fraud.
64 Shares
Share
Tweet
Share
Save

Sponsored Links

Photothek via Getty Images

Uber has been fined £385,000 ($491,000) by the UK's privacy watchdog for "failing to protect" the personal info of around 2.7 million UK users during a cyber attack in 2016. The figure isn't far off from the maximum penalty of £500,000 ($638,000) handed down to Facebook by the Information Commissioner's Office (ICO) over its Cambridge Analytica-related failures.

The decision arrives almost a year to the day since the ICO opened its investigation into Uber, with the watchdog's director of investigations, Steve Eckersley, noting that it was "not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen."

Last November, Uber confessed that it hid an extortion-oriented cyberattack which exposed the personal info for roughly 57 million customers and drivers in October 2016, including names, email addresses and phone numbers. It later revealed that roughly 2.7 million of those affected users were from the UK. Rather than reporting the attack, it paid hackers $100,000 to delete the info and keep quiet for more than a year -- although its then-new CEO Dara Khosrowshahi knew two months before news went public.

Uber said at the time that it found "no evidence of fraud or misuse tied to the incident." It also fired its chief security officer Joe Sullivan and one of his deputies, senior lawyer Craig Clark, for apparently covering up the truth.

The ICO today said "a series of avoidable data security flaws allowed the personal details" of UK Uber users to be "accessed and downloaded by attackers from a cloud-based storage system." Alongside customers, it said that the records of almost 82,000 UK-based Uber drivers –- which included details of journeys made and how much they were paid –- were also taken during the incident.

The watchdog's investigation found that the attackers used "credential stuffing" -- a method that involves compromised username and password pairs being inserted into websites until they are matched to an existing account -- to gain access to Uber's data storage. It concluded that the incident was a serious breach of principle seven of the Data Protection Act 1998, and had "the potential to expose the customers and drivers affected to increased risk of fraud."

But it could've been much worse for the ride-sharing company. The breach took place before the introduction of the EU's General Data Protection Regulation (GDPR) earlier this year, which allows the ICO to hand down heftier fines of up to £17 million or 4 percent of a company's turnover. Aside from the UK penalty, Uber has also been fined €600,000 ($679,000) by the Dutch data protection authority. It said that 174,000 Dutch citizens were impacted by the breach.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
64 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget’s guide to Home Entertainment

Engadget’s guide to Home Entertainment

View
Disney is tweeting everything that's coming to Disney+

Disney is tweeting everything that's coming to Disney+

View
Lyft will help you contact ADT if you feel unsafe during a ride

Lyft will help you contact ADT if you feel unsafe during a ride

View
Google Pay will soon work with major public transit cards

Google Pay will soon work with major public transit cards

View
Uniti's quirky three-seater EV costs less than $19,000

Uniti's quirky three-seater EV costs less than $19,000

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr