Home > News > Global Insights > Europe & UK > UK ICO, Dutch DPA impose...

UK ICO, Dutch DPA impose penalties of £385,000, €600,000 on Uber over 2016 data breach

By - Legal Era
Update: 2018-11-29 09:38 GMT

A 2016 data breach in Uber (a peer-to-peer ridesharing, taxi cab, food delivery, bicycle-sharing, and transportation network company) exposing the personal details of millions of its customers has resulted into major penalties for the company. In this case, on November 27, 2018, Uber was fined a whopping £385,000 ($491,284) and €600,000 ($679,257) by the UK’s Information Commissioners...

A 2016 data breach in Uber (a peer-to-peer ridesharing, taxi cab, food delivery, bicycle-sharing, and transportation network company) exposing the personal details of millions of its customers has resulted into major penalties for the company. In this case, on November 27, 2018, Uber was fined a whopping £385,000 ($491,284) and €600,000 ($679,257) by the UK’s Information Commissioners Office (ICO) and the Dutch Data Protection Authority (Dutch DPA), respectively.

The case dates back to 2016, when Uber’s four UK affiliates (Uber London Limited, Uber Britannia Limited, Uber Scot Limited, and Uber NIR Limited) along with Uber US—the data processor for these affiliates—were subject to a cyberattack between October 13 and November 15, 2016. In this attack, hackers accessed personal details, including full names, email addresses, and phone numbers, of 2.7 million Uber customers in the UK and 174,000 in the Netherlands, in addition to its drivers’ worldwide data, including phone numbers, email addresses, passwords, driver’s license information, etc.

However, Uber did not report the incident for more than a year, which led to increased trouble for the company.

In this regard, ICO’s Director of Investigations Steve Eckersley said, “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen... At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

The ICO reported the attack as a “serious breach” of the UK’s Data Protection Act, 1998 as it exposed customers and drivers to increased risk of fraud. On the other hand, Dutch DPA stated that it had imposed the penalty as Uber had failed to report the breach within the country’s mandated 72-hour window.

Notably, as the breach occurred before the EU’s General Data Protection Regulation (GDPR) came into effect, the penalty on Uber was imposed as per the previous Acts.

Similar News

German prosecutors drop money-laundering probe against Deutsche Bank managers
Latham & Watkins Secures Victory In Groundbreaking Anti-Suit Injunction Case In UK Supreme Court
EU Court of Justice rules in Favor of Audi in Spare Parts Trademark Case
U.S. Court of Appeals for Ninth Circuit Rejects Claims of Copyright Infringement Against Instagram’s Embed Code
European Court of Justice Declares Batman Logo Distinctive in Trademark Lawsuit
META Slapped with $1.3 Billion Fine for Violating EU Data Transfer Rules
U.K. Antitrust Probes into Adobe’s $20 Billion Figma Acquisition Deal
Magic Circle Law Firm Allen & Overy Expands Partnership with 36 Internal Promotions
Squire Patton Boggs enters cooperation agreement with The Law Office of Looaye M. Al-Akkas in Saudi Arabia
Clifford Chance Leads Advising Role for Al Ansari Financial Services' Successful IPO
EU Antitrust Regulator Issues News Statement of Objections Against Apple
DLA Piper's EU Life Sciences practice gets strategic boost through Brussels move