2 min read

UK fine against Uber for 2016 data breach would be 200 times bigger in 2018

Filip TRUȚĂ

November 28, 2018

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
UK fine against Uber for 2016 data breach would be 200 times bigger in 2018

Uber”s widely publicized data leak from two years ago has finally resulted in a fine from the UK Information Commissioner”s Office. The penalty would have been 203 times the amount if the leak had occurred this year, after the GDPR era took effect in May.

“The Information Commissioner”s Office (ICO) has fined ride sharing company Uber £385,000 for failing to protect customers” personal information during a cyber attack,” reads the announcement. In US dollars, that figure translates into around $492,000.

As readers may remember, a series of flaws in Uber”s servers let hackers steal personal data of 2.7 million UK customers, as well as the records of almost 82,000 British drivers. The leak exposed full names, email addresses, phone numbers, journey info and even payment data. An investigation revealed that attackers used “credential stuffing” to access the data. As its name implies, the process involves “stuffing” credentials (leaked from a previous breach) into websites until they match existing accounts.

The ICO isn”t upset about the breach itself so much as it”s upset over Uber”s poor judgement in secretly paying the attackers money to have the data destroyed, a decision that made the case so controversial. Furthermore, those affected by the breach were not told about the incident until after a full year had passed. Whenever a company is breached, rapid disclosure is imperative so customers can take steps to protect themselves against fraud.

“This was not only a serious failure of data security on Uber”s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable,” said ICO Director of Investigations Steve Eckersley.

“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack. Although there was no legal duty to report data breaches under the old legislation, Uber”s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected,” Eckersley added.

The Netherlands has also fined Uber €600,000 through its local data protection authority, Autoriteit Persoonsgegevens.

Under the new General Data Protection Regulation, this blunder would have landed Uber a fine in the vicinity of 100 million US dollars (around £78 million) calculated at 4% of its last annual turnover of $2.7 billion. But because the breach occurred in the pre-GDPR era, the ICO has fined Uber close to the maximum penalty under the then-applicable 1996 Data Protection Act (DPA).

The ICO did the same last month when it fined Facebook the measly sum of £500,000 for the immensely controversial Cambridge Analytica scandal that was said to have helped Russia interfere with US elections. And a month earlier, the same fine was issued to Equifax for its monumental 2017 breach that resulted in exposure of 147 million customer records, the firing of two company executives overnight, and the sullying of its image beyond repair.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials
Silviu STAHIE

November 26, 2021

1 min read
Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group
Filip TRUȚĂ

November 26, 2021

1 min read
Couple arrested for secretly installing cryptomining software on department store PCs Couple arrested for secretly installing cryptomining software on department store PCs
Graham CLULEY

November 26, 2021

1 min read