Fine issued to Uber over historical data breach shortfall

Uber has been hit by a financial penalty and criticised for its neglect of its service users following a hack on the firm’s IT systems in 2016, Sky news reports.

 The popular cab brand must now stump up £900,000 to regulators in the UK and Holland following a breach that occurred two years ago, in which the personal details of millions of users was acquired by hackers.

Transparency – a key tenet of today’s cyber security culture – was not on display in Uber’s response to the intrusion at the time, as the problem was kept out of the public eye.

This amounted to a “complete disregard” for the data privacy of users plus some 82,000 drivers whose details were compromised, the Information Commissioner’s Office said, before hitting Uber with a £385,000 fee for its unethical behaviour.

The predicament led to 174,000 Uber users’ details being accessed by hackers in Holland, where the Dutch data protection authority wielded a €600,000 penalty to the company.

Not until a year after the initial breach did news emerge of the attack, which affected 57 million users of Uber’s service in total. At the time of the disclosure, it was found that Uber gave the hackers $100,000 to delete the stolen information, instead of notifying victims of the attack.

Customers’ user data was accessed from the cloud operated by Uber in the States, in a process that was helped on by “avoidable data security flaws” in the firm’s infrastructure, the ICO said. Full names, phone numbers and email addresses were among data compromised.

Industry experts have been quick to lend their opinion to the situation
Rich Campagna, CMO at Bitglass said:

“This fine shows that even the most prominent public organisations need to pay more attention to data security policies and put in place appropriate measures to keep personal data safe. Many companies continue to display poor stewardship over the personal details belonging to customers, employees, and other parties.

“Unless organisations begin to respect the importance of protecting customer data, we will continue to see more big-name companies making costly mistakes that harm countless individuals.”

Stephen Moore, chief security strategist, Exabeam said:

“The most seasoned and well-resourced security teams can be easily overwhelmed by the volume of organisational alerts they receive in a day. That complexity, when combined with the inherent difficulties of detecting credential-based attacks, because the attackers are impersonating legitimate users, creates an environment that lacks control and trust. In this case, the security incident was likely the result of malicious actors using previously collected or breached login data to access accounts.

“To protect against these types of attacks, organisations must shift the enterprise security strategy. To remediate incidents involving user credentials and respond to adversaries, the key is to move fast and consider an approach that is closely aligned with monitoring user behaviour–to provide the necessary visibility needed to restore trust, and react in real time, to protect user accounts.

“This should include the ability to detect, using behavioural characteristics, when events have occurred – especially when it comes to client/member/customer-facing incidents.”

Luke Brown, VP EMEA at WinMagic said:

“Data loss, data theft, data breach – these phrases are now part and parcel of the daily news agenda. My guess is that Uber hadn’t deployed encryption technology across all its platforms and environments.

“It’s well known that data residing anywhere in a company’s increasingly complex environment is at risk unless there is a standardised ubiquitous encryption platform in place.

“Falling victim to cyber criminals is the new normal, and all organisations need to take precautions to protect sensitive information should they become the victim of an attack.”

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.