Uber is once again in the headlines today over a data breach which occurred 12 months ago. The news first broke at Bloomberg yesterday which reported that 57 million customers and drivers personal information was stolen by hackers. Instead of reporting the security breach, the then chief security office and his deputy concealed the breach and paid a ransom of £100,000 for the destruction of the stolen personal data.
Information about the breach is contained on their website www.uber.com
The BBC has reported that the ICO is now considering the next steps that Uber will need to take.
A fine of up to £500,000 can be levied by the ICO. A security breach in itself is not the issue, but the ICO will look at whether there were avoidable measures which could have been taken to prevent the hacking. This is what happened to TalkTalk in October 2016 when they were fined £400,000 for a cyber-attack in October 2015.
Add to that the deliberate cover up of the breach and undoubtedly the ICO need to make an example of Uber to deter reoccurrence and to establish public confidence in their ability as a regulatory body.
This will seem like a small price to pay compared to new rules which are due to come into effect from May 2018 (the General Data Protection Regulations); a company will be faced with fines of up to 4% of their turnover or 20 million euros, whichever is the higher.
In addition under the new rules, there is an automatic reporting duty within a window of only 72 hours – which clearly Uber would have fallen foul of.
We need to think twice now about using the services of a business that shows an apparent disregard for upholding the highest standards to safeguard personal data of their customers.