Uber fined more than $492,000 in Europe for 2016 data breach

The ride-sharing service has been fined by the European Information Commissioner's Office for choosing not to disclose a data breach which saw 3 million British customer's personal information stolen

28Nov

Uber has received a fine of £385,000 ($492,264) by the European Information Commissioner's Office (ICO) for the 2016 data breach which saw the theft of personal information from 35 million customers and 3.7 million drivers across the globe from Uber's servers.

This follows the $148m settlement in the US (25 million US users were affected). The severity of the fine was not only predicated on the scale of the attack, but Uber's handling of it. Instead of informing authorities, users or drivers about the breach, they reportedly paid hackers to delete the data they had stolen in an effort to conceal the incident.


Visit Innovation Enterprise's Chief Data Officer Summit, part of the DATAx New York festival, on December 12–13, 2018


Uber's European operation has not been fined as heavily due to the $500,000 maximum financial penalty attached to the former Data Protection Act of 1998. Under current GDPR regulations passed this year, if the data breach had happened today, Uber may have faced a significantly higher fine of up to 4% of its global revenue.

Following the announcement of the fine, the ICO wrote: "Uber US did not follow the normal operation of its bug bounty programme. In this incident Uber US paid outside attackers who were fundamentally different from legitimate bug bounty recipients: instead of merely identifying a vulnerability and disclosing it responsibly, they maliciously exploited the vulnerability and intentionally acquired personal information relating to Uber users."

Uber has also since released a statement claiming that it is "pleased to close this chapter on the data incident from 2016. As we shared with European authorities during their investigations, we've made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since".

The company added: "We've also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward. Earlier this year we hired our first chief privacy officer, data protection officer, and a new chief trust and security officer. We learn from our mistakes and continue our commitment to earn the trust of our users every day." 

Iot necessities  is your company ready  small

Read next:

IoT necessities: Is your company ready?

i