ICO fines Uber £385,000 following its 2016 data breach

The Information Commissioner's office (ICO) has fined mobile taxi-hailing juggernaut Uber 385,000 for failing to protect customer data in its devastating data breach scandal back in 2016.

The incident was a "serious breach of principle seven of the Data Protection Act 1998", said the ICO, and had the potential to expose the affected customers and drivers to increased risk of fraud being carried out against them.

The fine follows another one issued to the company recently in September. After agreeing to terms with all 50 American states and the District of Columbia, Uber agreed to pay $148 million for failing to notify its drivers that their details had been stolen.

The October 2016 data breach in question affected 57 million of the company's drivers. Names, email addresses and phone numbers of over 50 million drivers were stolen and around 7 million drivers were affected, with hackers accessing around 600,000 US driver's license numbers.

In the UK, more than 2.7 million of its British customers and drivers were affected too. Again, names, email addresses and phone numbers were all stolen in the hack and according to an ICO investigation, records of almost 82,000 drivers based in the UK had details of journeys made and how much they were paid stolen.

"This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen," said Steve Eckersley, ICO Director of Investigations. "At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable."

The data was stolen as a result of "a series of avoidable security flaws" in Uber's cloud-based storage system operated by Uber's US parent company. The ICO investigation also found how Uber's data storage was breached. A process called 'credential stuffing' was used which involves taking compromised username and password pairs and plugging them into websites until user account details were found, which were then used to gain access to the cloud-based storage system.

"We're pleased to close this chapter on the data incident from 2016. As we shared with European authorities during their investigations, we've made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since," said an Uber spokesperson. "We learn from our mistakes and continue our commitment to earn the trust of our users every day."

Following the data breach, it was reported that Uber paid the hackers $100,000 ($78,000) for their silence so it could silently cover up the incident behind closed doors.

"Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack," said Eckersley. "Although there was no legal duty to report data breaches under the old legislation, Uber's poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected."

Reports also claim Uber's former CEO Travis Kalanick knew about the breach for over a year. He was forced out of the company in June 2017 amid allegations of sexism and poor working practices.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.