In November 2017, the Uber CEO Dara Khosrowshahi announced that hackers broke into the company database and accessed the personal data (names, email addresses and cellphone numbers) of 57 million of its users, the disconcerting revelation was that the company covered up the hack for more than a year.
The attackers accessed also the names and driver’s license numbers of roughly 600,000 of its drivers in the United States.
The hack happened in 2016, it was easy for hackers that according to a report published by Bloomberg, obtained credentials from a private GitHub site used by the company development team. The hackers tried to blackmail Uber and demanded $100,000 from the company in exchange for avoiding publish the stolen data.
Rather than to notify the data breach to customers and law enforcement as is required by California’s data security breach notification law, the chief of information security Joe Sullivan ordered to pay the ransom and to cover the story destroying any evidence. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed.
Now Britain’s Information Commissioner’s Office (ICO) fined Uber 385,000 pounds ($491,102) for failing to protect the personal information of 3 million Britons.
“The Information Commissioner’s Office (ICO) has fined ride sharing company Uber £385,000 for failing to protect customers’ personal information during a cyber attack.
A series of avoidable data security flaws allowed the personal details of around 2.7million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company. This included full names, email addresses and phone numbers.” states the ICO.
“The records of almost 82,000 drivers based in the UK – which included details of journeys made and how much they were paid – were also taken during the incident in October and November 2016.”
ICO Director of Investigations Steve Eckersley declared:
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”
“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.”
“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”
The UK ICO confirmed that none of the affected customers were notified of the security breach.
The Dutch Data Protection Authority (Dutch DPA) fined the company 600,000 euro ($679,790) for failing to protect the personal information of 174,000 Dutch citizens.
“The Dutch Data Protection Authority (Dutch DPA) imposes a fine of €600.000 upon Uber B.V. and Uber Technologies, Inc (UTI) for violating the Dutch data breach regulation. ” states the Dutch DPA.
“This data breach has affected 57 million Uber users worldwide, and concerns 174.000 Dutch citizens. Amongst the data were names, e-mail addresses and telephone numbers of customers and drivers.”
In an official statement, Uber announced that it is “pleased to close this chapter on the data incident from 2016.”
The company highlighted that it has introduced a number of technical improvements since the data breach.
“We learn from our mistakes,” the company said.
(Security Affairs – data protection, UK Parliament)