Uber’s European operation has been fined £385,000 for a data breach that affected almost 3 million British users, the Information Commissioner’s Office has announced.
In November 2016, attackers obtained credentials to access Uber’s cloud servers and downloaded 16 large files, including the records of 35 million users worldwide. The records included passengers’ full names, phone numbers, email addresses, and the location where they had signed up.
Drivers were also affected, with 3.7 million, including 82,000 from the UK, having their weekly pay, trip summaries and, in a small number of cases, driver’s licence numbers accessed.
The ICO said the breach was caused by inadequate information security, and was compounded by Uber US’s decision to not disclose the attack, instead complying with the hackers’ demands to pay $100,000 as a “bug bounty”. Such bounties are common in the security world, with companies offering rewards to researchers who find and notify them of system weaknesses before they can be attacked.
However, the ICO wrote: “Uber US did not follow the normal operation of its bug bounty programme. In this incident Uber US paid outside attackers who were fundamentally different from legitimate bug bounty recipients: instead of merely identifying a vulnerability and disclosing it responsibly, they maliciously exploited the vulnerability and intentionally acquired personal information relating to Uber users.”
It said none of the people whose personal data had been compromised were notified of the breach. Instead, the company only began monitoring accounts for fraud 12 months after the attack.
However, the potential penalty was mitigated by the fact that Uber’s European branches were also not informed of the breach, meaning the company was notable to report it to the commissioner; and by the lack of evidence that the compromised data was misused.
Uber US was ordered in September to pay $148m for failing to notify drivers about the breach.
In a statement, Uber said “We’re pleased to close this chapter on the data incident from 2016. As we shared with European authorities during their investigations, we’ve made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since.
“We’ve also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward. Earlier this year we hired our first chief privacy officer, data protection officer, and a new chief trust and security officer. We learn from our mistakes and continue our commitment to earn the trust of our users every day.”
The timing of the breach meant the fine was issued under the old Data Protection Act 1998, which sets out a maximum financial penalty of £500,000. Under the DPA 2018, which brings the EU’s general data protection regulation into British law, the potential fine would be much higher, at up to 4% of Uber’s global revenue.
Commenting about the fine Mark Adams, Regional Vice President of UK & Ireland, Veeam said: “Uber has paid the price for those avoidable data security flaws. The hefty fine serves as an unfortunate reminder that breaches can happen to any business, and many will argue that the ICO’s punishment was entirely justified given the ride-hailing company’s incident response – which could be described as ‘apathetic’ at best.
“We would hope that Uber has learnt from the mistakes it has made and now takes its approach to data management more seriously. For any company hoping to ensure they avoid them altogether, we’d recommend working quickly to deliver a company-wide employee training program on data protection and phishing attacks. Human-led errors are still the weakest link in the security chain for a business. No matter who you are or who you work for, this has to be right and employees have to be more aware of their actions.
“From a technology standpoint, knowing how to find and implement intelligent data management tools that can spot irregularities automatically and act accordingly is crucial. Are the latest security products helpful? Sure, to an extent. They are a great first line of defence. But when the first barriers are breached, what have you got left to protect your business and its staff? For many, the answer is nothing at all. There can never be a ‘it will never happen to us’ mentality. Being prepared for the absolute worst might seem excessive to begin with, but this is the key to a successful data breach response. It’s near impossible to prevent all data leakage and data theft, but a strong and versatile incident response process can help significantly reduce the pain associated with these types of data breach issues.”