Uber was fined £385,000 for “a series of avoidable data security flaws” which allowed hackers to download the personal information of 2.7 million customers.
The Information Commissioners Office (ICO) found Uber was guilty of a “serious breach” of UK data protection law and showed a “complete disregard” for the customers and drivers whose information was stolen.
Full names, email addresses and phone numbers were obtained during the October and November 2016 attack. However, Uber did not inform customers or drivers for more than a year. Instead it paid the attackers $100,000 (£78,000) to destroy the information they had downloaded.
Chun Wong, partner at Hodge Jones and Allen who specialise in data breach cases, said: “Uber’s flagrant disregard with people’s data and then attempts to cover it up signifies one of the worst data breaches we have seen to date. Uber will consider themselves fortunate that higher fines brought in in May this year were not in force, which could have meant them facing fines of up to four per cent of their turnover or 20 million euros, whichever is the higher.
“The fine of £385,000 seems a small price to pay and will be of little comfort to those affected. Millions of people who had their data stolen will need to think twice now about using the services of a business that shows an apparent contempt for upholding the highest standards to safeguard personal data of their customers.”