The Information Commissioners Office has fined Uber £385,000, for allowing hackers to steal data on 2.7 million UK customers. In 2016, hackers managed to obtain full names, addresses and phone numbers of Uber customers and the ICO said the whole incident was avoidable. Uber has also been fined 600,000 euros by regulators in Holland, over a similar breach which saw 174,000 customers data stolen.
Cyber-attackers hacked Uber’s cloud servers and downloaded files, including the records of 35 million users worldwide. Drivers were also affected, with 3.7 million drivers, 82,000 from the UK, had their weekly pay and tip information hacked. The ICO said the breach was caused by inadequate information security. It was made worse when Uber decided not to inform the public or regulators about the attack. Instead, the chose to pay $100,000 to researchers, who found the bug and fixed the problem for them. This is common practice in the cyber security world. Companies offer rewards or pay ransoms to researchers who find and notify them of systems weaknesses before they can be attacked.
In their report the ICO said: “Uber did not follow the normal operation of its bug bounty programme. In this incident Uber US paid outside attackers who were fundamentally different from legitimate bug bounty recipients: instead of merely identifying a vulnerability and disclosing it responsibly, they maliciously exploited the vulnerability and intentionally acquired personal information relating to Uber users.”
Uber said “We’re pleased to close this chapter on the data incident from 2016. As we shared with European authorities during their investigations, we’ve made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since. We’ve also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward. Earlier this year we hired our first chief privacy officer, data protection officer, and a new chief trust and security officer. We learn from our mistakes and continue our commitment to earn the trust of our users every day.”
As the breach happened in 2016, Uber were saved the heftier fines now enforceable under the EU GDPR regulations. GDPR introduced a duty on organisations to report data breaches to the relevant supervisory authority. This must now be done within 72 hours of a breach. If the breach could adversely affect individuals, they must be informed without delay and, all organisations must ensure they have robust breach detection in place, along with investigation and internal reporting procedures in place. They must also keep a record of any personal data breaches.
What is a personal data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
GDPR makes clear that when a security incident takes place, organisations should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the ICO if required.