British and Dutch regulators fine Uber for 2016 hack
Regulators fined the ride-hailing firm more than £900,000
The Information Commissioner's Office and Dutch Data Protection Authority have issued Uber with combined fines of more than £900,000, for its failure to protect customers' personal information when it was breached in 2016.
The ICO, which has levelled a £385,000 penalty, said that Uber had shown a "complete disregard" for the affected parties. It added, "A series of avoidable data security flaws allowed the personal details of around 2.7 million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber's US parent company."
In the Netherlands, where 174,000 citizens were affected, the DDPA fined the ride-sharing firm €600,000 (£532,000).
The breach affected more than 57 million customers and drivers worldwide, and Uber hid the fact for more than a year - only admitting to it when then-CEO Travis Kalanick left the company and was replaced by Dara Khosrowshahi.
Reuters claimed that the hacker was a 20-year old man living with his mother, whom Uber paid $100,000 (around £75,000) to delete the stolen data. The company hid the payment by routing it through its bug bounty programme.
According to the ICO, the breach used ‘credential stuffing', entering compromised username and password pairs into various websites until they are matched to an existing account.
The stolen information included the names, email addresses and mobile phone numbers of Uber customers, but not credit card details or trip history.
The ICO's director of investigations, Steve Eckersley, said, "This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen.
"At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable."
In September, all 50 US states and the District of Columbia levelled a $148 million fine at Uber for the breach.