The Information Commissioner’s Office (ICO) has fined Uber £385,000 for a 2016 cyber attack that saw hackers take advantage of ‘series of avoidable data security flaws’ and download personal data from 2.7 million UK customers.
Uber did not inform customers about the breach at the time, and doubled down on that stance by attempting to pay off the hackers and buy their silence.
"Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber-attack, said ICO Director of Investigations Steve Eckersley, "Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected."
The records of more than 80,000 UK-based drivers, including details of their payments, were also downloaded in the incident. The fine - one of the last pre-GDPR fines - is near the maximum possible under the Data Protection Act of £500,000.
Joseph Carson, Chief Security Scientist, Thycotic told SC Media UK that:
"The fact that Uber concealed the data breach increased the cyber-risk of both drivers and customers as well as a loss of trust from investors and governments. Consider if Uber has a similar data breach occur today then the equivalent fine for Uber under the EU GDPR would be approx US$ 200 million (£157 million). This should be a big reminder that Data Breaches in 2019 will carry a more significant financial penalty versus those that occurred before May 2018. The recent fines by the UK ICO should be a warning to those companies that have experienced data breaches after May 2018 which includes Facebook and British Airways.
"The mishandling of credentials for an Amazon Web Services account behind the data breach shows that companies really need to adhere to the industry recommendations on securing and protecting privileged credentials."
Javvad Malik, security advocate at AlienVault agreed: "The Uber fine shouldn't come as a surprise to anyone that has been following the story. The company had inadequate protective and detective security controls. To make matters worse, the company tried to cover up the breach and paid money to keep things quiet, and in the process exposed its customers. While breaches are an unfortunate cost of doing business these days, it's how a company acts in response that can make the difference between a large fine and a warning."
Stephen Moore, Chief Security Strategist at Exabeam said that the case offered plenty of food for thought for CSOs: "In this case, the security incident was likely the result of malicious actors using previously collected or breached login data to access accounts. To protect against these types of attacks, organisations must shift the enterprise security strategy. To remediate incidents involving user credentials and respond to adversaries, the key is to move fast and consider an approach that is closely aligned with monitoring user behaviour--to provide the necessary visibility needed to restore trust, and react in real time, to protect user accounts. This should include the ability to detect, using behavioural characteristics, when events have occurred – especially when it comes to client/member/customer-facing incidents."
The attack impacted a large number of global users, with up to 57 million Uber users and 600,000 drivers worldwide.
The Dutch Data Protection Authority (Dutch DPA) has imposed a fine of €600,000 (£532,000) on Uber, mainly for not reporting the incident to the Dutch DPA within 72 hours. The Dutch watchdog said that 174,000 Dutch citizens were affected. Uber agreed in September 2018 to to pay US$ 148 million (£112 million) in a settlement reached with 50 US states and the District of Columbia over the breach.