[ad_1]
Uber is a US technology company that develops and operates mobile applications for connecting users with drivers conducting transportation services. The company has just copied a fine of more than 900,000 for a data breach of 2016 that affected customer data. The Office of the Information Commissioner, Information Commissioner's Office (ICO), a UK public body that defends the right to information in the public interest, promoting the transparency of public bodies and the protection of personal data, condemned Uber a fine of 385,000, or about 434,000 for failing to sufficiently protect the personal information of its customers during a cyberattack.
At the same time, Dutch Data Protection Authority (DPA), the Dutch Data Protection Authority, which is the data protection authority of the Netherlands, has also fined Uber 600,000 for violating Dutch law. on data protection. In total, the Californian company has cop cope with a fine of about one million euros. As a reminder, towards the end of November 2017, VTC CEO Dara Khosrowshahi reported that two hackers stole the personal data from Uber Technologies Inc.'s 57 million customers and drivers. is that this data breach was known to his security chief, Joe Sullivan, and one of his assistants, Craig Clark, since 2016.
To cover certain actions, the latter ignored these facts and made a payment of $ 100,000 to hackers asking them to delete the data in their possession. After digging into this case, Reuters reported that one of the two hackers involved in the theft of the data would be a 20-year-old man who received the indicated amount ($ 100,000) as a reward given through the bug bounty program. organized by the company. A Reuters source had described the hacker as living with his mother in a small house trying to help pay bills. Reuters adds that members of the Uber security team did not want to prosecute someone who did not seem to pose a real threat.
The CEO assured that at the time of the incident, Uber took immediate steps to secure the data and terminate unauthorized access by individuals. She then identified the individuals and obtained assurances that the downloaded data had been destroyed. Then she put security measures in place to restrict access to and control over cloud-based storage accounts. The compromised data included names and license numbers of 600,000 drivers. Uber's decision to conceal the violation was a flagrant violation of public trust, Xavier Becerra, the California Attorney General, said in a statement. The company was unable to protect user data and inform the authorities when they were exposed. he added.
The transport company, which wants to regain the confidence of customers and drivers and redo its image, fully collaborates with the survey. It had decided to pay $ 148 million, which will be distributed among the 50 states and the District of Columbia. Tony West, Uber's chief legal officer, said the company had recently hired a privacy officer and a trust and safety officer. We know that winning the trust of our customers and the regulators we work with globally is not an easy task. After all, trust is hard to win and easy to lose, said West.
This is not only a serious failure to protect data from Uber but also a total disregard for customers and drivers whose personal data had been stolen, says Steve Eckersley, Director of Investigations at ICO, quoted in a communiqu. At the time, no action was taken to warn anyone concerned about the facts or to offer help and support, he added. LICO said data from nearly 82,000 bass drivers in Britain were flown in October and November 2016. The Dutch authorities reported 174,000 people affected by the incident. In a statement, Uber said he was satisfied with closing this chapter on the 2016 data incident.
Paying the attackers and then keeping this topic quiet afterwards was not, in our opinion, an appropriate response to the cyber attack, Eckersley said. The Data Protection Act (DPA) of 1998 had no legal obligation, but everything has changed since the RGPD came into effect last May. Companies have 72 hours to inform ICO or have a valid reason for not doing so. The two fines thus limited are those authorized by the 1998 Data Protection Act. If the security incident occurred after the coming into force of the GDPR, the fines could have been much higher.
Sources: DPA, ICO
And you ?
What do you think ?
See as well
Uber: 2016 data hacking allegedly committed by a 20-year-old hacker pays $ 100,000 as a bonus bounty bug for his silence
Uber was the victim of massive hacking in 2016 and preferred to pay 100,000 hackers for cluttering the affair
Uber to pay $ 148 million for data breach investigation for concealing unauthorized access to the public
[ad_2]
Source link