Uber has been fined £385,000 for letting hackers steal data on 2.7 million UK customers. The full names, addresses and phone numbers of users went astray in the 2016 attack. The data had been stolen thanks to “avoidable data security flaws”, said the Information Commissioner’s Office. Uber has also been fined 600,000 euros (£532,000) by data regulators in Holland over the same breach, as it also affected 174,000 Dutch customers. “This was not only a serious failure of data security on Uber’s part but a complete disregard for the customers and drivers whose personal information was stolen,” said Steve Eckersley, director of investigations at the ICO. Uber had done nothing to alert people that data had been downloaded or to support people affected, he added. Customers whose data had been stolen had been left at “increased risk of fraud”, he said. The details on 2.7 million customers were part of a massive cache of information on 57 million people taken by the hacker group in October and November 2016.
Uber paid the attackers $100,000 (£78,400) to destroy the data they took. Paying the hackers and then saying nothing about it was “not an appropriate response to the cyber-attack”, said Mr Eckersley. In response, Uber said it had changed how it handled data since 2016 and now employed a chief privacy officer and a data protection head who oversaw its operations. It added: “We’ve made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since.” “We’re pleased to close this chapter on the data incident from 2016,” it said. In the US, Uber paid $148m to settle federal charges over the 2016 breach.