ICO fines Uber £385,000 for data protection failings

The Information Commissioner’s Office (ICO) has fined ride sharing company Uber £385,000 for failing to protect customers’ personal information during a cyber attack.

The fine comes just two months after Uber agreed to a $148m settlement agreement in a case in the US brought by 50 US states and the District of Columbia over Uber’s attempt to cover up the data breach in 2016, which only came to light in 2017 when it emerged that 600,000 US drivers and 57 million user accounts had been affected.

An ICO investigation found that a series of avoidable data security flaws allowed the personal details of around 2.7 million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company. This included full names, email addresses and phone numbers.

The records of almost 82,000 drivers based in the UK – which included details of journeys made and how much they were paid – were also taken during the incident in October and November 2016.

The ICO investigation found that credential stuffing, a process by which compromised username and password pairs are injected into websites until they are matched to an existing account, was used to gain access to Uber’s data storage.

However, the customers and drivers affected were not told about the incident for more than a year, when it emerged that Uber had paid the cyber attackers $100,000 through its bug bounty programme to delete the stolen data and keep quiet about the breach.

ICO director of investigations, Steve Eckersley, said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

The ICO said the incident, which is a serious breach of principle seven of the Data Protection Act 1998, had the potential to expose the customers and drivers affected to increased risk of fraud.

“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack,” said Eckersley.

“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”

The data protection authority for the Netherlands, the Autoriteit Persoonsgegevens, has also issued a fine to Uber under its own pre-GDPR legislation of nearly £533,000. The Dutch regulator was the lead member of an international task force which included the ICO and which co-operated in investigating the effects of the incident in their respective jurisdictions.

The General Data Protection Regulation (GDPR) has applied in the UK from 25 May 2018. Its provisions are included in the Data Protection Act 2018. The act also includes measures related to wider data protection reforms in areas not covered by the GDPR, such as law enforcement and security.

Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17m or 4% of global turnover.

The timing of the Uber breach ahead of the GDPR enforcement date means that the civil monetary penalty has been issued under the previous legislation, the Data Protection Act 1998.

The maximum financial penalty in civil cases under former laws is £500,000, which was the penalty imposed on Facebook in October 2018 for serious breaches of data protection law involving Cambridge Analytica that affected 87 million users, including nearly 1.1 million Britons.

The incident is still under investigation by the House of Commons digital, culture, media and sport (DCMS) committee. As reported by Computer Weekly, the committee last week ordered documents relating to Facebook to be handed over by Ted Kramer, head of US software company SixforThree, who was passing through London.

Kramer is suing Facebook in the San Mateo Superior Court in California over rights to access pictures of people wearing bikinis. Kramer had obtained the Facebook documents under “discovery”, a legal procedure that allows litigants sight of each other’s case papers.

The documents were sealed by a San Mateo, California Superior Court judge after months of legal wrangling between Facebook, Kramer’s company Six4Three, and media organisations. But the California court has no jurisdiction in the UK and the DCMS committee chair Damian Collins believes the documents contain insights relevant to the committee’s investigation into disinformation and fake news.

Richard Allan, Facebook’s vice-president for public policy is expected to appear in London later today before legislators from seven countries investigating the social media firm for its role in election meddling and spreading disinformation.

The UK, Canada, Brazil, Latvia, Argentina, Ireland, Singapore, France and Belgium have repeatedly called on Facebook CEO Mark Zuckerberg to give testimony, but the firm announced last week it will be represented by Allan.