Uber’s massive 2016 data breach, which exposed the details of 57 million people around the world — and which the company tried to cover up — has earned it $1.17 million in fines from data protection regulators in the U.K. and the Netherlands.
The fines are relatively small for such an egregious violation of European privacy laws — £385,000 ($491,250) in the U.K. and €600,000 ($679,420) in the Netherlands. However, that’s largely because the breach and the cover-up occurred under older, weaker privacy laws, before the introduction of the EU’s tough new General Data Protection Regulation (GDPR), which allows for fines of up to 4% of global annual revenues.
As such, these are fairly tough enforcement measures — though not quite at the maximum possible level — and give an indication of the treatment companies can expect in the future, if they continue to break data protection laws in Europe. EU privacy regulators coordinated their efforts on this case, which again points to its severity.
Under the stewardship of former CEO Travis Kalanick, Uber paid the hacker $100,000 to keep quiet and destroy the information — including names, email addresses, phone numbers and journey details — that was stolen from Uber’s systems.
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable,” said Steve Eckersley, the director of investigations at the U.K. Information Commissioner’s Office (ICO).
“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack,” Eckersley continued. “Although there was no legal duty to report data breaches under the old [British] legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”
By way of contrast, the Dutch data protection law that applied in 2016 did require Uber to disclose the breach, within 72 hours of learning about it, to the local privacy regulator and the affected people.
Of the total 57 million people whose data was taken by the hacker, 174,000 were Dutch citizens, 2.7 million were U.K. customers and almost 82,000 were U.K. drivers.
A further 600,000 U.S. drivers were affected by the hack. In September, the company was ordered to pay a $148 million and tighten data security after it reached an agreement with all 50 U.S. states and the District of Columbia.
“This is one of the most egregious cases we’ve ever seen in terms of notification; a yearlong delay is just inexcusable,” Lisa Madigan, the Illinois attorney general, told the Associated Press. “And we’re not going to put up with companies, Uber or any other company, completely ignoring our laws that require notification of data breaches.”
“We’re pleased to close this chapter on the data incident from 2016,” Uber said in a statement. “As we shared with European authorities during their investigations, we’ve made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since. We’ve also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward. Earlier this year we hired our first chief privacy officer, data protection officer, and a new chief trust and security officer.”
“We learn from our mistakes and continue our commitment to earn the trust of our users every day.”
This article was updated to include Uber’s statement.