Uber has been fined £385,000 by the Information Commissioner's Office over a "serious failure" to protect customers' personal information during a cyber attack.
The personal details of around 2.7 million customers in the UK were accessed and downloaded in the attack, including full names, email addresses and phone numbers.
The records of 82,000 UK-based drivers were also taken during the incident, including details of journeys they made and how much they were paid.
- Read more: GMB Organiser: ‘Uber want to get away with as little cost to them as possible’
- Read more: Uber granted 15-month operating permit in London
Customers and drivers affected by the hack - which took place in October and November 2016 - were not told about it for over a year.
In a statement, the ICO said it was a series of "avoidable data security flaws" that allowed the hack to take place, which was carried out by cyber attackers from a cloud-based storage system operated by Uber's US parent company.
ICO director of investigations Steve Eckersley said: "This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen.
"At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable."