Uber Technologies Inc., which is already dealing with a barrage of legal and regulatory issues, has landed itself a £900,000 fine by UK and Dutch regulators over stolen customer data which the company then kept under wraps.
The Dutch Data Protection Authority (Dutch DPA) announced it is imposing a €600,000 fine on Uber and its Dutch subsidiary Uber B.V. for violating Dutch data breach regulation in 2016. Meanwhile, UK’s Information Commissioner’s Office (ICO) has imposed a £385,000 fine for the same data breach.
Uber hushed up the 2016 data breach for over a year, in which hackers gained access to personal information of 57 million people worldwide. The information included names, email addresses, and telephone numbers and the locations where they had signed up. The company also paid hackers $100,000 to destroy the data.
Then newly appointed CEO, Dara Khosrowshahi, stated that such behavior would not be tolerated by the company. Khosrowshahi said, “None of this should have happened, and I will not make excuses for it.”
In addition, information of 3.7 million drivers was exposed. This included their weekly pay, trip summaries and, in some cases, even their driver’s license numbers were acquired.
The Information Commissioner’s Office said the data breach was caused by inadequate information security. It was compounded by Uber’s decision to not report the attack to the authorities and the data subjects within 72 hours after the discovery of the breach. Instead, Uber chose to comply with the hackers’ demands to pay $100,000 as a “bug bounty.”
This isn’t the first time Uber has been fined for its infamous 2016 data breach. The ride-hailing company was forced to cough up $148 million in fines to settle claims related to the data breach cover up.
The fine ads to Uber’s never-ending list of controversies. Right from surge pricing, to its attitude towards consumer safety, the company has attracted a great deal of criticism on social media.