The legal invoice for the violation of Uber data in 2016, which affected some 57 million customers, revealing names, email addresses and telephone numbers, has increased by more than a million dollars.
Two months ago, the transportation giant agreed to pay $ 148 million to resolve legal queries related to non-compliance in the US. UU., With that agreement that covers the 50 states and the District of Columbia.
However, the violation also involved the data of European users. And yesterday, the UK data protection control body, the ICO, announced that it was fine Uber 385,000 (~ $ 490k) under the national legal regime.
The Dutch data protection regulator also issued a fine yesterday, hitting Uber with a fine of 600k (~ $ 670k) for violating local laws.
On the legal front of the EU, Uber has evaded a little bullet here, since the moment of the infraction falls under the previous data protection regimes of both countries.
In the United Kingdom, the maximum fine was 500k compared to 4% of the overall annual turnover of a company under the new EU General Data Protection Regulation (GDPR).
A proportionately large fine under GDPR would probably have been considerably higher.
The ICO notes that records of almost 82,000 drivers based in the United Kingdom, including details of trips made and how much they were paid, were taken during the rape incident that took place in October and November 2016, but that Uber alone reve publicly a year ago. .
While in the Netherlands, the regulator points out that the rape affected 174,000 Dutch citizens.
GDPR has also incorporated disclosure requirements for violation across the EU, which means that data controllers must now notify the relevant authorities within 72 hours of a major violation affecting the personal data of European citizens. And data controllers can be fined for delaying a notification of noncompliance.
The UK control agency said its 2016 Uber violation investigation found "credential padding" to access Uber data storage, referring to a process by which the password pairs and username compromised They are injected into websites until they match an existing account.
However, the control body also underlines the problematic handling of the incident by Uber, expressing this as an "inadequate decision-making", not simply censoring Uber's "inadequate" security as well.
Instead of disclosing the violation in a timely manner, Uber opted to pay $ 100,000 to hackers who had obtained the personal data cache, ask them to destroy it and send this payment through a third party who manages their error rewards program .
The ICO describes this cover-up as "inappropriate," noting that hackers acted maliciously, as they attempted to exploit a vulnerability to gain illegal access to the data, so they were not at all "legitimate recipients of error rewards."
Commenting on a statement, ICO research director Steve Eckersley said: "Paying the attackers and then being silent about it was not, in our opinion, an adequate response to the cyber attack. Although there is no legal obligation to report data breaches under previous legislation, Uber's bad data protection practices and subsequent decisions and behaviors will likely have aggravated the anguish of those affected. "
This was not only a serious failure of data security by Uber, but also a complete disregard for customers and drivers whose personal information was stolen. At that time, no measures were taken to inform people affected by the breach, or to offer help and support. That left them vulnerable. "
In the text of the complete decision detailing the reasons for the monetary sanction, the ICO also writes that its intention is to "deter new infractions of this kind, both by Uber and others."
The Dutch control body also notes that Uber did not promptly disclose the infraction as a reason for his fine.
We contacted Uber for comment and a spokesperson sent us the following statement:
We are pleased to close this chapter on the 2016 data incident. As we shared with the European authorities during their investigations, we have made a series of technical improvements in the security of our systems, both immediately after the incident and in the case. As in the later years. We have also made significant changes in leadership to ensure adequate transparency with regulators and advancing clients. Earlier this year, we hired our first director of privacy, data protection and a new head of trust and security. We learn from our mistakes and continue our commitment to win the trust of our users every day.
Uber did not respond to a request for comment on the ICO's description of its cover-up as "inappropriate."