Uber fined £385,000 for data breach affecting millions | 35 million users and 3.7 million drivers not told of Uber data hack in 2016 The Information Commissioner’s Office (ICO) has fined the European operation of Uber £385,000 for a data breach in 2016. According to the ICO, the Uber data hack affected almost 3 million British users. In November 2016, hackers gained access to Uber’s cloud servers and downloaded 16 large files. These files included personal information of 35 million users worldwide. The records exposed passengers’ full names, phone numbers, email addresses, and the location where they had signed up. 3.7 million drivers were also affected by the Uber data hack, including 82,000 from the UK. Their weekly pay, trip summaries and, in a small number of cases, driver’s licence numbers were accessed.
Uber data hack caused by “inadequate information security”
The ICO said the breach was caused by inadequate security, and compounded by Uber’s decision to not disclose the attack. Instead, the firm complied with the hackers’ demands to pay $100,000 as a “bug bounty”. Such bounties are common in the data security world. With businesses offering rewards to researchers who uncover and report system vulnerabilities, before they can be exploited. However, the ICO wrote:
Uber US did not follow the normal operation of its bug bounty programme. In this incident Uber US paid outside attackers who were fundamentally different from legitimate bug bounty recipients. Instead of merely identifying a vulnerability and disclosing it responsibly, they maliciously exploited the vulnerability and intentionally acquired personal information relating to Uber users.
The ICO said none of the people whose personal data had been compromised were notified of the Uber data hack. Instead, the company only began monitoring accounts for fraud 12 months after the attack. However, the potential penalty was mitigated by the fact that Uber’s European branches were also not informed of the breach. This meant the company was notable to report it to the commissioner.
In a statement, Uber said:
We’re pleased to close this chapter on the data incident from 2016. As we shared with European authorities during their investigations, we’ve made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since.