Reuters has reported on the huge financial penalty levied against Uber for its failure to disclose a data breach that occurred back in 2016.
Following a ten-month investigation into the breach which compromised the personal details of 57 million accounts at Uber, the tech firm now has to pay $148 million.
The breach was only reported to the regulator in November 2017 by Uber’s current CEO, Dara Khosrowshahi, one year after the hacking took place on the watch of the firm’s previous CEO. Khosrowshahi admits that the breach should have been reported as soon as it had been discovered.
In Europe, GDPR’s standards stipulate that organisations must report a data breach to the relevant supervisory authority within 72 hours of the transgression coming to the attention of the entity concerned.
Where ‘high risk’ data is concerned – for breaches that are likely to adversely affect the rights and freedoms of the affected individuals – then those individuals must be notified of the breach without delay, the GDPR says.
Far from telling the regulator, Uber attempted to cover up the leak by paying the hackers $100,000 to destroy the stolen data. This constituted “a blatant violation of the public trust,” according to California Attorney General, Xavier Becerra.
This very deliberate disregard for the law has now been revealed in public, leaving a household name and globally trusted brand with its reputation in tatters. The punishments come in an era of heightened awareness regarding personal data handling wherein consumers actively seek out companies that can demonstrate that they can be trusted with sensitive information.
Facing the consequences
Uber’s fine is in keeping with the GDPR’s headline penalties, which can be as much as €20 million or 4% of annual turnover for the biggest data transgressions.
The sum is also the greatest attorney general settlements have reached in privacy cases, a comparable situation being the $18.5 million charge that Target Corp had to pay last year following a breach that saw 41 million have their data stolen.
Uber will now have to change its business practices to mitigate against the chance of future breaches and to revamp a corporate culture that has been proven to be unfit for purpose in the modern world.
Uber Chief Legal Officer, Tony West said:
“We know that earning the trust of our customers and the regulators we work with globally is no easy feat. We’ll continue to invest in protections to keep our customers and their data safe and secure, and we’re committed to maintaining a constructive and collaborative relationship with governments around the world.”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/