Uber has been fined over £900,000 by UK and Dutch watchdogs in relation to a 2016 data breach which impacted customer data.
The UK's Information Commissioner's Office (ICO) fined the ride-hailing service £385,000 for "failing to protect customers' personal information during a cyberattack," while the Dutch Data Protection Authority (Dutch DPA) has imposed a fine of €600.000 (£532,000) for violating Dutch data protection laws.
The ICO says that the data breach, which took place in 2016, was caused by "avoidable" security problems.
Uber's systems were compromised by an attacker, believed to be a 20-year-old from the United States, who was able to use credential stuffing techniques to expose information belonging to approximately 57 million riders and seven million drivers via a private GitHub repository.
Names, email addresses, phone numbers, and drivers' license copies were all compromised during the breach.
Rather than come clean, however, Uber paid off the hacker, giving him $100,000 under the guise of a bug bounty.
In return, the hacker was to delete the stolen data -- and to keep quiet. Unfortunately for Uber, however, the truth will out.
The company has already agreed to pay $148 million in the US to settle the data breach case and cover-up, but as the information exposed also contained data belonging to users in the EU, fines were also imposed across the pond.
The ICO says that roughly 2.7 million UK customers were impacted by the breach, as well as close to 82,000 drivers, including the details of journeys made and payments. Dutch regulators indicate that 174,000 Dutch citizens were also involved.
"This was not only a serious failure of data security on Uber's part but a complete disregard for the customers and drivers whose personal information was stolen," says ICO Director of Investigations Steve Eckersley. "At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable."
The ICO added that paying off the hacker was not "an appropriate response to the cyber attack."
Both fines have been issued pre-GDPR and, therefore, fines are limited to those permitted under the Data Protection Act 1998. If the security incident had taken place after the EU's General Data Protection Regulation came into force in May, the fines imposed by both regulatory bodies could have been far higher.