Case Studies

Uber fined for data breach

by Mark Rowe

The UK data privacy regulator the Information Commissioner’s Office (ICO) has fined the ride sharing company Uber £385,000 for failing to protect customers’ personal information during a cyber attack.

What the ICO termed a series of avoidable data security flaws allowed the names, email addresses and phone numbers of around 2.7 million UK customers (out of 32m non-US people) to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company. The records of almost 82,000 drivers based in the UK (out of 3.7m drivers in all) – which included details of journeys made and how much they were paid – were also taken during the incident in October and November 2016.

The ICO found ‘credential stuffing’, a process by which compromised user name and password pairs are injected into websites until they are matched to an existing account, was used to gain access to Uber’s data storage. However, the customers and drivers affected were not told about the incident for more than a year. Instead, Uber paid the attackers via a third party that runs Uber’s ‘bug bounty’ scheme the $100,000 they asked for, to destroy the data they had downloaded. For the details of the fine and the breach visit the ICO website.

ICO Director of Investigations Steve Eckersley said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

The ICO called the incident a serious breach of principle seven of the Data Protection Act 1998, that had the potential to expose the customers and drivers affected to increased risk of fraud. It came to light when an announcement, made by the company itself, was reported by the media in November 2017. The ICO did not find evidence that the compromised data was used for fraud or identity theft.

Mr Eckersley added: “Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack. Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”

The data protection authority for the Netherlands, the Autoriteit Persoonsgegevens, has also issued a fine to Uber under its own pre-GDPR law. The Dutch regulator was the lead on an international investigation.

For Uber comment in September, when the company reached an agreement with the attorneys general of the 50 US states and the District of Columbia, by Tony West, Chief Legal Officer, see the Uber website.

Comments

Jake Moore, at cyber security company ESET UK, said: “Cyber criminals can do a lot of damage with a large breached list containing only names and emails so the ICO are determined to stamp out this type of activity – especially when it has been ruled ‘avoidable’. Having hackers know a set of live emails and names means they can send phishing emails or even attempt to work out the customers’ passwords. An incredibly large amount of people still use predictable or simple passwords. Together with previous and even recent high profile breaches, many people’s passwords are also readily available on the dark web so it can sadly be made very simple for the cyber criminals. There is no doubt that this fine would be higher if it had been post GDPR.”

Andrew Lloyd, president of Corero Networks, said: “This was one of the last pre-GDPR breaches. Under the previous EU/UK Data Protection rules, the maximum fine was £500k. In this context, a £385k penalty is a hefty fine. I suspect that Uber was hit with a fine at the upper end of the scale (77pc) as they took rather a long time between the incident and their disclosure.

Clearly, if a similar incident was to occur again, the ICO could impose a much larger penalty now that GDPR and, for those covered by it, the NIS Regulations are in force. If we assume that the maximum penalty under GDPR and NIS is £17m, a 77pc fine would be an eye-watering £13m. That level of penalty should act as a wake-up call to all organisations.”

Martin Jartelius, CSO of Outpost24 said: “Taking into account the substantial impact of this breach and the way it was handled by Uber, this is also a good example of why GDPR is of importance to us all. We may not be protected from those recurring breaches, but customers and end users have a right to know when companies have failed to meet their obligation to protect our information.”

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing