Uber has been hit with a £385,000 fine by the UK’s data protection regulator after a notorious breach in October/November 2016 which affected over 2.7 million customers and drivers.
The Information Commissioner’s Office (ICO) branded the incident the result of “a series of avoidable data security flaws.”
The hackers managed to obtain username and password combinations previously made available via breaches and apply credential stuffing techniques to crack an Uber GitHub account. In fact, the attackers were able to identify the passwords for GitHub accounts belonging to 12 Uber employees as a result.
In one account they found Amazon IAM credentials for an Uber account with AWS inside a piece of code. This enabled them to access the AWS S3 data stores containing the customer and driver data.
This litany of security missteps allowed attackers to obtain details including full names, email addresses and phone numbers on 2.7 million UK customers and 82,000 drivers — plus details of journeys and how much drivers were paid.
However, Uber added insult to injury by paying $100,000 to the hackers for them to destroy the data. The firm subsequently kept the incident a secret until new CEO Dara Khosrowshahi came clean in November 2017.
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable,” said ICO director of investigations, Steve Eckersley.
“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack. Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”
It goes without saying that under the current GDPR regime, Uber’s fine would have been significantly greater.
The Dutch privacy watchdog also issued a fine today related to the 174,000 of its citizens affected, deciding to levy a harsher €600,000 (£532,000; $679,000).