British and Dutch regulators condemn Uber to 2016 data fine

(Reuters) – British and Dutch regulators fined Uber mobile phone service on Tuesday [UBER.UL] failing to protect customers' personal information during a 2016 cyberattack involving millions of users.

Names, mobile phone numbers and email addresses were compromised in the breach, which involved 57 million users worldwide. This included 2.7 million user accounts in Britain, representing the vast majority of mobile phone service users in the country.

The Office of the Information Commissioner (ICO) in Britain imposed a fine of £ 385,000 ($ 490,760) on the company, while the Dutch Data Protection Authority (DPA) imposed a fine of 600,000 euros ($ 678,780).

"This was not only a serious failure of data security by Uber, but also a total disregard for customers and drivers whose personal information had been stolen," said Steve Eckersley, Director of Investigations at ICO, in a statement.

"At the time, no action was taken to inform those affected by the violation or to offer help and support. This made them vulnerable.

The OIC also indicated that the records of nearly 82,000 UK-based drivers, containing detailed information on journeys made and the amount of their pay, had also been recorded at the time of the incident. October and November 2016.

The breach occurred before the introduction of the General Data Protection Regulation (GDPR) earlier this year, which would allow the ICO to impose fines of up to £ 17 million, or 4 % of a company's overall turnover.

Uber, who also faced licensing issues in London and a long-running legal battle over workers' rights for his UK drivers, said he has changed his data practices since 2016 and hired a manager in the UK this year. the protection of privacy and a data protection officer.

"We are delighted to close this chapter on the 2016 data-related incident," Uber said in a statement.

"As we discussed with the European authorities during their investigations, we made several technical improvements to the security of our systems, immediately following this incident and in the years that followed."

The breach affected 174,000 people in the Netherlands and the Dutch DPA declared that it fined Uber for failing to report the incident within 72 hours of its discovery.