Uber has been fined £385,000 or about $1.2 million by British and Dutch authorities for failing to protect customers’ data during a cyber attack in 2016. Britain’s Information Commissioner’s Office has announced that it fined the company 385,000 pounds and Dutch officials imposed a 600,000-euro fine for violating Dutch data protection laws.
British officials cited a series of “avoidable data security flaws” that allowed personal data for roughly 2.7 million U.K. customers to be downloaded by hackers during an incident in October and November 2016.
The information commission’s director of investigations, Steve Eckersley, said Uber had shown a “complete disregard for the customers and drivers whose personal information was stolen” after the substantial security breach. He further added that “at the time, no steps were taken to inform anyone affected by the breach, or to offer help and support.” he said.
Dutch officials say Uber did not report the data breach to authorities within 72 hours as required by regulations. The Dutch Data Authority says 57 million users worldwide and 174,000 Dutch citizens were affected by the data breach.
The U.S.-based company said in a statement that Uber is “pleased to close this chapter on the data incident from 2016.” It said a number of technical improvements have been made to the security system since then. The company also cites a number of changes to the senior management team that has made in the last year.
Because of the timing of the breach, the fine was issued under the old Data Protection Act 1998, which sets out a maximum financial penalty of £500,000. Under the DPA 2018, the potential fine would be much higher, at up to 4% of Uber’s global revenue.