The U.K.’s Information Commissioner’s Office (ICO) is fining Uber for not properly protecting customers’ personal information.
The $490,000 fine is for “avoidable data security flaws” that allowed the personal details of approximately 2.7 million customers in the U.K. be accessed and downloaded by cyber attackers. This included full names, email addresses and phone numbers, according to the report.
Drivers were also affected by the data breach. Details of journeys made and how much they were paid were among the information taken during the 2016 attack.
Adding to the problem, customers and drivers were not told about the incident for more than one year. The report also notes that, rather than informing those affected about the breach, Uber paid the hackers $100,000 to destroy the information.
“This was not only a serious failure of data security on Uber’s part but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable,” said ICO director of investigations Steve Eckersley.
From a legal standpoint, the incident breaches principle seven of the U.K.’s Data Protection Act 1998, and the action only came to light in November of 2017 when Uber reported it to the media.
“Paying the attackers and then keeping quiet about it afterward was not, in our view, an appropriate response to the cyber attack,” added Eckersley. “Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”
A separate fine was also issued today by the Autoriteit Persoonsgegevens for a similar incident that took place in the Netherlands.
Source: Read Full Article