Uber Fined €1 Million for 2016 Data Breach in Europe

Ride hailing service Uber has been fined €1 Million for the data breach it experienced in 2016. The total fine comes from two different countries.

In 2016, Uber was hit with a data breach. The breach affected 57 million customers worldwide, so it was a pretty sizable breach at that. A problem with the breach is the fact that Uber chose to hide it for over a year. Hackers ransomed the company, demanding payment to have the personal information deleted. In an effort to keep the breach secret, the company paid $100,000 to the hackers. All this drew the ire of users and authorities alike.

Now, European privacy watchdogs have been able to order the company to pay fines. That totals roughly €1 Million. From The Next Web:

The Dutch Data Protection Authority (Dutch DPA) just announced it’s imposing a €600,000 fine on Uber and its Dutch subsidiary Uber B.V. for violating Dutch data breach regulation in 2016. Simultaneously, UK’s Information Commissioner‘s Office (ICO) declared Uber will be fined £385,000 (around €433,000) for the same data breach back in 2016.

As the report points out, this isn’t the first time Uber has been forced to pay fines for the breach. Back in September, the company wound up settling in the US for $148 million in the US. From a TechCrunch report back then:

Uber has agreed to pay $148 million to settle a data breach that affected some 57 million customers in 2016.

The agreement was with the attorneys general of all 50 states and the District of Columbia to resolve their legal inquiries on this matter, Uber’s chief legal officer Tony West said in a statement released Wednesday.

The data breach affected 50 million riders and 7 million drivers; around 600,000 driver license numbers for U.S. drivers were also included in the breach.

Uber’s response and cover up of the breach led to the firing of Joe Sullivan, the company’s chief security officer at the time. Uber didn’t report the incident that occurred in October 2016. Instead, the company paid hackers $100,000 to get rid of the evidence and keep the data breach a secret, which Bloomberg first reported.

While the fine is comparatively lower in Europe, it’s worth pointing out that Europe’s GDPR laws only took effect this year. As such, the fines would be under previous European laws. Had the breach taken place this year instead of 2016, there is a much higher probability that the fines would have been substantially higher.

This is something you’ll likely see for the next year or so. Major leaks and breaches that took place before GDPR took effect are still working their way through the legal systems. However, this will eventually come to an end as fines related to breaches and leaks that took place after the laws took effect will start making the news. We’ve already seen a number of them already this year, so it’s only a matter of time before the heavier fines start getting levied against affected companies.

Still, it’s worth pointing out that there are consequences to these leaks and breaches. It’s just unfortunate that we hear more about the leaks and breaches themselves rather than the end results.

Drew Wilson on Twitter: @icecube85 and Google+.

Leave a Reply

Your email address will not be published. Required fields are marked *