Maria Montero

Uber's bill for 2016 default and cover-up increases $ 1M + in EU fines

The legal invoice for the violation of Uber data in 2016, which affected some 57 million customers, revealing names, email addresses and telephone numbers, has increased by more than a million dollars.

Two months ago, the transportation giant agreed to pay $ 148 million to resolve legal queries related to non-compliance in the US. UU., With that agreement that covers the 50 states and the District of Columbia.

However, the violation also involved the data of European users. And yesterday, the UK data protection control body, the ICO, announced that it was fine Uber 385,000 (~ $ 490k) under the national legal regime.

The Dutch data protection regulator also issued a fine yesterday, hitting Uber with a fine of 600k (~ $ 670k) for violating local laws.

On the legal front of the EU, Uber has evaded a little bullet here, since the moment of the infraction falls under the previous data protection regimes of both countries.

In the United Kingdom, the maximum fine was 500k compared to 4% of the overall annual turnover of a company under the new EU General Data Protection Regulation (GDPR).

A proportionately large fine under GDPR would probably have been considerably higher.

The ICO notes that records of almost 82,000 drivers based in the United Kingdom, including details of trips made and how much they were paid, were taken during the rape incident that took place in October and November 2016, but that Uber alone reve publicly a year ago. .

While in the Netherlands, the regulator points out that the rape affected 174,000 Dutch citizens.

GDPR has also incorporated disclosure requirements for violation across the EU, which means that data controllers must now notify the relevant authorities within 72 hours of a major violation affecting the personal data of European citizens. And data controllers can be fined for delaying a notification of noncompliance.

The UK control agency said its 2016 Uber violation investigation found "credential padding" to access Uber data storage, referring to a process by which the password pairs and username compromised They are injected into websites until they match an existing account.

However, the control body also underlines the problematic handling of the incident by Uber, expressing this as an "inadequate decision-making", not simply censoring Uber's "inadequate" security as well.

Instead of disclosing the violation in a timely manner, Uber opted to pay $ 100,000 to hackers who had obtained the personal data cache, ask them to destroy it and send this payment through a third party who manages their error rewards program .

The ICO describes this cover-up as "inappropriate," noting that hackers acted maliciously, as they attempted to exploit a vulnerability to gain illegal access to the data, so they were not at all "legitimate recipients of error rewards."

Commenting on a statement, ICO research director Steve Eckersley said: "Paying the attackers and then being silent about it was not, in our opinion, an adequate response to the cyber attack. Although there is no legal obligation to report data breaches under previous legislation, Uber's bad data protection practices and subsequent decisions and behaviors will likely have aggravated the anguish of those affected. "