Uber has been fined £385,000 by a UK watchdog for failing to protect customers’ personal information during a cyber attack.
A series of “avoidable data security flaws” allowed the personal details of around 2.7 million UK customers to be accessed and downloaded by attackers, the Information Commissioner’s Office (ICO) said.
This included full names, email addresses and phone numbers, exposing people to an “increased risk of fraud”.
The records of almost 82,000 UK drivers – including details of journeys made and how much they were paid – were also taken during the incident in October and November 2016.
ICO director of investigations Steve Eckersley said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen.
“At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”
Hackers obtained personal details of a total of 57 million Uber customers and drivers worldwide from a cloud-based storage system operated by the ride hailing app firm’s US parent company
Customers and drivers affected were only alerted when Uber made an announcement in November 2017.
Uber paid the attackers responsible 100,000 US dollars (£78,000) to destroy the data they had downloaded.
Mr Eckersley added: “Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.
“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”
Chun Wong, partner at law firm Hodge Jones and Allen, which specialises in data breach cases, said: “Uber’s flagrant disregard with people’s data and then attempts to cover it up signifies one of the worst data breaches we have seen to date.
“Uber will consider themselves fortunate that higher fines brought in in May this year were not in force, which could have meant them facing fines of up to 4% of their turnover or 20 million euros, whichever is the higher.
“The fine of £385,000 seems a small price to pay and will be of little comfort to those affected.”
Uber was also handed a separate 600,000-euro (£532,000) fine by the data protection authority in the Netherlands.
The Autoriteit Persoonsgegevens said 174,000 Dutch citizens were affected by the hack.
In June, a judge granted Uber a short-term operating licence in London after its permit was initially not renewed over safety concerns.
The firm conceded it had made “serious mistakes” and Transport for London was correct in its renewal decision, but told an appeal hearing it had made “wholesale” reforms.