Uber fined £385k for 'serious failure' in protecting customer data


Tuesday, November 27, 2018

Uber has been fined £385,000 by the Information Commissioner's Office over a "serious failure" to protect customers' personal information during a cyber attack.

The personal details of around 2.7 million customers in the UK were accessed and downloaded in the attack, including full names, email addresses and phone numbers.

The records of  82,000 UK-based drivers were also taken during the incident, including details of journeys they made and how much they were paid.



Customers and drivers affected by the hack - which took place in October and November 2016 - were not told about it for over a year.

In a statement, the ICO said it was a series of "avoidable data security flaws" that allowed the hack to take place, which was carried out by cyber attackers from a cloud-based storage system operated by Uber's US parent company.

ICO director of investigations Steve Eckersley said: "This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen.

"At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable."