Uber has been fined £385,000 by the Information Commissioner’s Office (ICO) for failing to protect customers’ personal information during a cyber attack.
Approximately 2.7 million Uber user accounts in the UK were accessed and downloaded in a cyber attack in 2016, which Uber did not initially report.
An ICO statement said that ‘a series of avoidable data security flaws’ allowed the personal details of around 2.7 million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company.
Instead of contacting affected customers and drivers at the time, an ICO report said Uber paid the attackers responsible $100,000 (£78,294) to destroy the data they had downloaded.
The ICO has previously warned that deliberately concealing breaches from regulators and citizens could attract higher fines for companies.
An Uber spokesperson said: ‘As we shared with European authorities during their investigations, we’ve made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since.
‘We’ve also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward. Earlier this year we hired our first chief privacy officer, data protection officer, and a new chief trust and security officer.’
Read more: What counts as personal data
What information did cyber attackers access about Uber users?
The personal data accessed included full names, email addresses and phone numbers.
A spokesperson for the National Cyber Security Centre (NCSC) said: ‘We assess that the stolen information doesn’t pose a direct threat to people or allow direct financial crime. Indications are that the breach involved user names, email addresses and mobile phone numbers.’
The records of almost 82,000 drivers based in the UK – which included details of journeys made and how much they were paid – were also taken during the incident in 2016.
Your rights when there’s a breach
If it’s likely that a data breach poses a risk to UK citizens, it’s the company’s responsibility to identify that breach to the ICO. They should also inform the NCSC, if a cyber attack was the cause.
The company must also establish the likelihood and severity of the risk to your freedom and personal data rights following a breach.
It’s also required to take steps to reduce any harm to consumers, which involves contacting affected customers.
The company should explain to you:
- the name and contact details of its data protection officer or other contact point that can provide more information
- a description of the likely consequences of the personal data breach
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects.
In response to affected Uber customers and drivers not told being informed about what had happened for more than a year, ICO director of investigations Steve Eckersley, said: ‘This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen.
‘At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.’
Read more: Your rights when there’s been a data breach
Has your Uber account been affected?
An ICO spokesperson said: ‘On its own this information is unlikely to pose a direct threat to citizens. However, its use may make other scams, such as bogus emails or calls appear more credible. People should continue to be vigilant and follow the advice from the NCSC.’
If you have an Uber account and are concerned, you should:
- Immediately change the passwords you used with Uber
- If you reused the same password on other accounts, change the password on those, too
- If you think you’ve been a victim of cyber crime or cyber-enabled fraud as, contact Action Fraud.
Read more: Our tips for creating a strong password