The Information Commissioner’s Office (ICO) has fined ride sharing company Uber £385,000 for failing to protect customers’ personal information during a cyber attack.

A series of avoidable data security flaws allowed the personal details of around 2.7million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company. This included full names, email addresses and phone numbers.

The records of almost 82,000 drivers based in the UK – which included details of journeys made and how much they were paid – were also taken during the incident in October and November 2016.

The ICO investigation found ‘credential stuffing’, a process by which compromised username and password pairs are injected into websites until they are matched to an existing account, was used to gain access to Uber’s data storage.

However, the customers and drivers affected were not told about the incident for more than a year. Instead, Uber paid the attackers responsible $100,000 to destroy the data they had downloaded.

ICO Director of Investigations Steve Eckersley said:

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

The incident, a serious breach of principle seven of the Data Protection Act 1998, had the potential to expose the customers and drivers affected to increased risk of fraud. It came to light when an announcement, made by the company itself, was reported by the media in November 2017.

Mr Eckersley added:

“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.

“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”

The data protection authority for the Netherlands, the Autoriteit Persoonsgegevens, has also issued a fine to Uber today under its own pre-GDPR legislation. The Dutch regulator was the lead member of an international task force which included the ICO and which co-operated in investigating the effects of the incident in their respective jurisdictions.

 

Notes to Editors

  • The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  • The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
  • The General Data Protection Regulation (GDPR) is a new data protection law which applies in the UK from 25 May 2018. Its provisions are included in the Data Protection Act 2018. The Act also includes measures related to wider data protection reforms in areas not covered by the GDPR, such as law enforcement and security. The UK’s decision to leave the EU will not affect the commencement of the GDPR.
  • Due to the timing of this investigation, the civil monetary penalty has been issued under the previous legislation, the Data Protection Act 1998. The maximum financial penalty in civil cases under former laws is £500,000.
  • Under past and current law, the ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
  • Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover.
  • The GDPR and the DPA2018 gave the ICO new strengthened powers, some of which, such as assessment notices can be used for this investigation.
  • The data protection principles in the GDPR evolved from the original DPA, and set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:
  • Processed lawfully, fairly and in a transparent manner in relation to individuals;
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • Accurate and, where necessary, kept up to date
  • Kept in a form which permits identification of data subjects for no longer than is necessary; and
  • Processed using appropriate technical or organisational measures in a manner that ensures appropriate security of the personal data.”
  • Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
  • Civil Monetary Penalties (CMPs) under past and current law are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
  • Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by ICO.