On 27 November Dutch and British regulators hit Uber with a $1,170,892 fine. Uber was fined because of a 2016 cyber attack that exposed millions of users’ data.
In 2017 Uber released details of the attack that occurred in 2016. The 2016 attack exposed email addresses, names, and phone numbers of around 57 million users and drivers. Additionally, 600,000 drivers driving license numbers were leaked.
The attack was a stuffing attack on Uber’s cloud storage. Attackers tried different username and password pairs until they hit a match. Uber’s response to the attack has been criticized.
Drivers whose information was compromised were notified and offered free credit monitoring and identity theft protection, however, UK customers who were affected were not notified. This meant millions of British people were vulnerable to other attacks now their information was out there, and they weren’t given the opportunity to take control of their data.
The fine is joint between the UK and the Netherlands, with Britain’s Information Commissioner’s Office (ICO) fining Uber £385,000 ($491,102) and the Dutch Protection Authority (Dutch DPA) fining EUR600,000 ($679,790). Citizens of both countries were affected by the attack, with information from 3 million British citizens leaked, and 174,000 Dutch citizens.
Uber has reiterated that the breach was limited and other personal information wasn’t leaked. For example trip location history, bank account numbers, social security numbers, credit card numbers and dates of birth were not affected.
It could be argued that Uber got off lightly with the fine they received since the fine was calculated based on the 1998 Data Protection Act, rather than GDPR which only came into effect in May this year. Under GDPR there are two levels of fines, the first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. Enacting these fines would have resulted in a much higher fine for Uber.