Just months earlier, the attorney generals from all U.S. states announced that California-based Uber was hit with a $148 million fine for failing to report a 2016 data breach. Now, the UK’s ICO (Information Commissioner’s Office) has fined Uber £385,000 ($494,000) for a data breach affecting 35 million people.
In November 2016, attackers accessed Uber’s Cloud servers, which contained passengers’ names, phone numbers, email addresses and the location where they had signed up.
The crooks also accessed the personal data of 3.7 million drivers. Their weekly pay, trip summaries and, in some cases, driving license numbers, were compromised.
Meanwhile, the Dutch Data Protection Authority fined Uber €600,000 ($682,000) under its own legislation.
Steve Eckersley, the ICO’s director of investigations, said the incident displayed “not only a serious failure of data security on Uber’s part but a complete disregard for the customers and drivers whose personal information was stolen”.
The issue was compounded by Uber US’s decision not to disclose the attack. Instead, it agreed to pay the crooks $100,000 as a “bug bounty”.
Bug bounties are common in the cybersecurity industry, with organizations offering financial rewards to researchers who find and notify them of system weaknesses.
However, if the organization suspects that sensitive information has been compromised, it is obliged to disclose the incident. Uber didn’t do that until a year later when Bloomberg revealed the cover-up.
At the time of the breach, Uber was under investigation for separate claims of privacy violations, which probably affected its decision-making. But these are not the only controversies it has been involved in. Since it was founded in 2009, Uber has faced four other criminal probes, which have looked into possible bribes, illicit software, questionable pricing schemes and theft of a competitor’s intellectual property.
Uber also faces dozens of civil lawsuits, with London among several cities to have taken steps to ban its service.
Because the incident occurred before the EU’s GDPR (General Data Protection Regulation) took effect, Uber escaped a much larger penalty. The ICO based its decision around the requirements of the GDPR’s predecessor, the Data Protection Act 1998.
So why didn’t Uber receive the biggest possible fine? There are three reasons. First, Uber’s European branches weren’t informed of the breach, meaning those who were responsible for disclosing the incident had no knowledge of it. Second, the ICO investigation revealed that there was little evidence that the compromised data was misused.
Finally, Uber was quick to make widespread changes once its security failings had been made public. Dara Khosrowshahi took over as the organization’s CEO in September 2017 and insisted that “we are changing the way we do business”.
That has so far proven to be true, with the organization confirming that it had made “a number of technical improvements to the security of [its] systems both in the immediate wake of the incident as well as in the years since”.
Some, if not most, of those changes were likely mandated by data protection authorities, but willingness to improve information security is still enough to mitigate financial penalties.
How will you respond to a data breach?
A recent Ponemon Institute survey found that one in four organizations will fall victim to a data breach within the next two years. This means there’s a good chance you could suffer a similar fate to Uber. But will you be able to manage the process effectively or face harsh penalties that could have long-term effects?
Find out how prepared your organization is for a data breach with our free assessment.