Uber has been fined more than £900,000 by UK and Dutch regulators over a hack in which millions of customer details were stolen and which the company then hushed up.
Britain’s Information Commissioner’s Office (ICO), which issued a £385,000 penalty to the ride-sharing company, said it had shown “complete disregard” for the customers as well as 82,000 drivers whose records were taken.
In the Netherlands, where 174,000 citizens were affected by the worldwide incident, Uber was fined €600,000 (£532,000) by the Dutch data protection authority.
Details of the 2016 hack, which affected 57 million Uber users worldwide, were first disclosed a year later – when it also emerged that the company paid the hackers $100,000 to delete the data rather than notifying the victims.
The ICO said a series of “avoidable data security flaws” had allowed customers’ personal details to be accessed and downloaded from a cloud-based storage system operated by Uber in the US.
They included full names, email addresses and phone numbers.
Driver details – including journeys made and how much they were paid – were also taken during the incident in October and November 2016.
The ICO said the hackers used a process known as “credential stuffing”, in which compromised username and password pairs are entered into websites until they are matched to an existing account, to gain access to Uber’s data storage.
The regulator said the incident had the potential to expose customers and drivers affected to increased risk of fraud.
ICO director of investigations Steve Eckersley said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen.
“At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.
“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.
“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”
The ICO penalty was issued according to 1998 data protection laws under which the maximum fine was £500,000.
Under new laws that came into force this year, the regulator has power to impose fines of up to £17m, or 4% of global turnover on companies.