020 7650 1200

Cars parked on road

ICO fines Uber £385,000 over mass data breach

A leading data protection lawyer welcomes decision of the Information Commissioner's Office (ICO) to fine Uber £385,000 over data breach failings

Posted on 27 November 2018

The decision of the ICO to fine Uber £385,000 follows a cyber-attack of a cloud based storage system operated by Uber’s US parent company in October and November 2016 that allowed the personal details of around 57 million customers and drivers worldwide (including 2.7 million customers and 82,000 drivers based in the UK) to be accessed.

Hacked customer information included their names, phone numbers, email addresses and the location where they had signed up.

Driver information included their weekly pay, trip summaries and, in a very small number of cases, their car licence details.

In finding a breach of the Data Protection Act 1998, the Information Commissioner’s Office identified a series of avoidable data security flaws by Uber which allowed the data breach.

The ICO were also very critical of the failure of Uber to report the data breach to either themselves or affected customers and drivers for over a year afterwards, something which they considered was likely to compound the distress suffered by those affected.

The ICO were also critical of Uber’s decision to pay the hackers a “bug bounty” of $100,000 to destroy the data they had obtained.

The Dutch Data Protection Authority have also fined Uber £532,000 in relation to the incident. In September 2018, Uber agreed to pay $148 million to all 50 US states over the data breach.

Sean Humber, head of the Information Law Team at law firm Leigh Day, who has acted in a succession of claims for compensation relating to the unauthorised disclosure of personal information over the last 20 years, said: “The ICO report confirms the inadequacy of not only Uber’s data security measures but also their response to the hack. It is inexcusable that it took them over a year to notify those affected that their personal information had been compromised, particularly as the breach left them vulnerable to the increased risks of fraud.

“Completely separate from this fine, those affected by the data breach may have claims for compensation against Uber for failing to adequately protect their personal information. This would include not only any claims by those suffering any financial loss but also claims by those suffering distress and inconvenience as a result of the breach."