In a significant enforcement action, British and Dutch data protection regulators have collectively fined Uber approximately $1.17 million for its failure to adequately safeguard customer data during a 2016 cyber incident that compromised the personal information of millions of users. The penalties levied stem from a breach that exposed the names, email addresses, and phone numbers of around 57 million Uber drivers and riders, alongside the driving license information of roughly 600,000 drivers.
Uber disclosed the breach last year, revealing that rather than promptly informing authorities and affected users, the company opted to pay hackers a ransom of $100,000 to prevent the disclosure of the incident. This decision raised concerns regarding compliance and the prioritization of corporate damage control over consumer protection.
The Information Commissioner’s Office (ICO) in the UK issued a fine of £385,000 (approximately $491,102), while the Dutch Data Protection Authority imposed a fine of €600,000 (about $679,790). These penalties corresponded to the failures in protecting the personal data of 3 million individuals in the UK and 174,000 in the Netherlands.
In an official statement, the Dutch DPA emphasized that Uber had not reported the breach within the required 72 hours after its discovery, which constitutes a significant violation of data protection protocols. The ICO further detailed that the attackers utilized a credential stuffing attack, injecting compromised username and password pairs into Uber’s systems. This exploitation method could have been mitigated through basic security controls.
The ICO also noted that Uber’s handling of the breach did not align with standard practices of its bug bounty program. Instead of addressing the vulnerability through responsible disclosure, Uber engaged with malicious actors who exploited the system, highlighting systemic weaknesses in incident response strategies.
At the time of the breach, Uber notified regulatory authorities and offered affected drivers complimentary identity theft protection and credit monitoring services. The company has consistently maintained that no sensitive financial information, including credit card numbers or social security data, was accessed during the attack.
With the breach occurring prior to the implementation of the EU’s General Data Protection Regulation (GDPR) in May 2018, Uber faced fines under the older Data Protection Act of 1998, which were notably lower than what could have been imposed under GDPR provisions. Under GDPR, a company could face fines reaching up to 17 million pounds or 4% of its global revenue for severe privacy violations.
This case not only underscores the importance of robust cybersecurity measures but also highlights the critical need for timely incident reporting. In recent months, regulatory actions have intensified, exemplified by significant penalties imposed on Facebook and Equifax, reinforcing the increasing scrutiny data protection practices face globally.
As organizations grapple with evolving cyber threats, incorporating frameworks like the MITRE ATT&CK Matrix can provide valuable insights into potential vulnerabilities. In the case of Uber, tactics such as initial access via credential stuffing, along with inadequate response procedures, illuminate areas where businesses can enhance their cybersecurity postures in the face of sophisticated adversary techniques. As the landscape of data protection continues to evolve, the lessons drawn from incidents like this are essential for guiding future compliance and risk management strategies.
