Peer-to-peer ride-sharing platform Uber has received a fine of £385,000 from the Information Commissioner’s Office, following a data breach that has affected almost three million customers.
The European branch failed to notify over 35 million users and 3.7 million drivers following a hack in November 2016.
Cyber attackers obtained credentials to access Uber’s cloud servers and downloaded multiple files for users across the world.
The records that were hacked included information on full names, contact details and their locations where they used the app.
ICO Director of Investigations Steve Eckersley said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”
Industry comment: Mark Adams, Regional Vice President of UK & Ireland, Veeam
“Uber has paid the price for those avoidable data security flaws. The hefty fine serves as an unfortunate reminder that breaches can happen to any business, and many will argue that the ICO’s punishment was entirely justified given the ride-hailing company’s incident response – which could be described as ‘apathetic’ at best.
“We would hope that Uber has learnt from the mistakes it has made and now takes its approach to data management more seriously. For any company hoping to ensure they avoid them altogether, we’d recommend working quickly to deliver a company-wide employee training program on data protection and phishing attacks. Human-led errors are still the weakest link in the security chain for a business. No matter who you are or who you work for, this has to be right and employees have to be more aware of their actions.
“From a technology standpoint, knowing how to find and implement intelligent data management tools that can spot irregularities automatically and act accordingly is crucial. Are the latest security products helpful? Sure, to an extent. They are a great first line of defence. But when the first barriers are breached, what have you got left to protect your business and its staff? For many, the answer is nothing at all. There can never be a ‘it will never happen to us’ mentality. Being prepared for the absolute worst might seem excessive to begin with, but this is the key to a successful data breach response. It’s near impossible to prevent all data leakage and data theft, but a strong and versatile incident response process can help significantly reduce the pain associated with these types of data breach issues.”