Uber’s bill for 2016 breach and cover-up rises by $1M+ on EU fines
The legal bill for Uber’s 2016 data breach, which affected some 57 million customers, revealing names, email address and phone numbers, has increased by more than a million dollars.
Two months ago the ride-hailing giant agreed to pay $148M to resolve legal inquiries pertaining to the breach in the U.S., with that settlement covering all 50 states and the District of Columbia.
However the breach also involved European users’ data. And yesterday the UK’s data protection watchdog, the ICO, announced it was fining Uber £385,000 (~$490k) under the domestic legal regime.
The Dutch data protection watchdog also issued a fine yesterday, slapping Uber with a €600k (~$670k) penalty for violating local laws.
On the EU law front, Uber has dodged a bit of bullet here as the timing of the breach falls under both country’s prior data protection regimes.
In the UK the maximum penalty was just £500k vs up to 4% of a company’s global annual turnover under the EU’s new General Data Protection Regulation (GDPR).
A proportionately large fine under GDPR would likely have been considerably larger.
The ICO notes that the records of almost 82,000 drivers based in the UK — including details of journeys made and how much they were paid — were taken during the breach incident which took place in October and November 2016 but which Uber only publicly disclosed a year ago.
While in the Netherlands the regulator notes that the breach affected 174,000 Dutch citizens.
GDPR has also brought in pan-EU breach disclosure requirements, which mean data controllers must now notify relevant authorities within 72 hours of a major breach affecting European citizens’ personal data. And data controllers can be fined for delaying a breach notification.
The UK watchdog said its investigation of the 2016 Uber breach found ‘credential stuffing’ was used to gain access to Uber’s data storage — referring to a process by which compromised username and password pairs are injected into websites until they are matched to an existing account.
However the watchdog also makes a point of underlining Uber’s problematic handling of the incident, couching this as “inadequate decision-making”, not merely censuring Uber’s also “inadequate” security.
Instead of disclosing the breach in a timely fashion Uber chose to pay $100,000 to hackers who had obtained the cache of personal data, asking them to destroy it, and routing this payment through a third party that administers its bug bounty program.
The ICO describes this cover-up as “inappropriate”, pointing out that the hackers acted maliciously, as they sought to exploit a vulnerability to illegally gain access to data — so were not at all “legitimate bug bounty recipients”.
Commenting in a statement, ICO director of investigations, Steve Eckersley, said: “Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack. Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable,” he added.
In the full decision text detailing the reasons for the monetary penalty the ICO also writes that its intent is to “deter further contraventions of this kind, both by Uber and by others”.
The Dutch watchdog also flags Uber’s failure to promptly disclose the breach as grounds for its fine.
We reached out to Uber for comment and a spokesman emailed us the following statement:
We’re pleased to close this chapter on the data incident from 2016. As we shared with European authorities during their investigations, we’ve made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since. We’ve also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward. Earlier this year we hired our first chief privacy officer, data protection officer, and a new chief trust and security officer. We learn from our mistakes and continue our commitment to earn the trust of our users every day.
Uber did not respond to a request for comment on the ICO’s description of its cover-up as “inappropriate”.