Uber paid cyber thieves to cover up massive breach of customer data
Uber has been fined £385,000 by a UK watchdog for failing to protect customers’ personal information during a cyber attack.
A series of “avoidable data security flaws” allowed the personal details of around 2.7 million UK customers to be accessed and downloaded by attackers, the Information Commissioner’s Office (ICO) said. This included full names, email addresses and phone numbers, exposing people to an “increased risk of fraud”.
The records of almost 82,000 UK drivers, including details of journeys made and how much they were paid, were also taken during the incident in October and November 2016.
ICO director of investigations Steve Eckersley said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen.
“At the time, no steps were taken to inform anyone affected by the breach or to offer help and support.” Hackers obtained personal details of 57 million Uber customers and drivers worldwide from a cloud-based storage system operated by the ride hailing app firm’s US parent company.
Customers and drivers affected were only alerted when Uber made an announcement in November last year.
Uber paid the attackers responsible $100,000 (£78,000) to destroy the data they had downloaded. Mr Eckersley added: “Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the attack.”