Uber fined £ 385,000 for data breaches affecting millions of passengers | Technology

The Office of the Information Commissioner announced that Uber's European operation would have been fined £ 385,000.

In November 2016, attackers gained access information to access Uber's cloud servers and downloaded 16 large files, including records from 35 million users worldwide. The records included the full names of the passengers, their telephone numbers, their e-mail addresses and the place where they were registered.

Drivers were also affected: 3.7 million people, including 82,000 in the United Kingdom, have access to their weekly pay, travel summary and, in a small number of cases, their driver's license number .

The ICO said the violation was caused by insufficient information security and made worse by Uber's decision not to divulge the attack, but instead to comply with hackers' demand to pay 100,000 dollars as "bug bonus". These bonuses are common in the world of security, companies offering rewards to researchers who discover them and inform them of weaknesses in the system before they can be attacked.

However, the ICO wrote: "Uber US did not follow the normal operation of its bug bonus program. During this incident, Uber US paid off external attackers who were fundamentally different from legitimate bug bonus recipients: instead of just identifying a vulnerability and disclosing it in a responsible manner, they exploited the vulnerability in a malicious way. and intentionally acquired personal information about Uber users.

He said that none of the people whose personal data had been compromised had been informed of the violation. Instead, the company began monitoring accounts for fraud only 12 months after the attack.

However, the fact that Uber's European branches were also not informed of the violation mitigated the potential sentence, which meant that the company had the opportunity to report it to the Commissioner; and the lack of evidence that compromised data has been misused.

In September, Uber US was ordered to pay $ 148 million for failing to inform drivers of the violation.

Uber Europe has been contacted for a comment.

The timing of the violation meant that the fine had been imposed under the former Data Protection Act of 1998, which provided for a fine of up to £ 500,000. Under the 2018 DPA, which transforms the EU's general data protection regulation into UK law, the amount of the potential fine would be much higher, up to 4% of Uber's overall revenue. .