Uber fined £385,000 for data protection failings

Ride-sharing service Uber has been fined £385,000 for failing to protect customers’ personal information during a cyber attack.

Around 2.7 million UK customers had their personal details accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company. Data stolen included full names, email addresses and phone numbers.

The records of almost 82,000 UK-based drivers - which included details of journeys made and how much they were paid - were also taken during the incident in October and November 2016.

An investigation by the Information Commissioner’s Office (ICO) - which issued the fine - found that a series of avoidable data security flaws made the breach possible

Attackers managed to wear down Uber’s cyber defences and access its data storage by ‘credential stuffing’, essentially injecting compromised username and password pairs into websites until they are matched to an existing account.

More than a year passed before affected customers and drivers were made aware of the breach.

Instead, Uber paid the attackers responsible $100,000 to destroy the data they had downloaded.

Steve Eckersley, the ICO’s director of investigations said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen.

“At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”