The United Kingdom’s Information Commissioner’s Office (ICO) said it fined ride-sharing provider Uber 385,000 pounds (U.S. $490,000) for failing to take adequate steps to protect the personal data of its customers during a cyberattack suffered by the company in 2016. The attack resulted in the theft of personal data on about 2.7 million Uber customers in the U.K., including names, addresses, and phone numbers. ICO said that Uber paid the attackers $100,000 to destroy the stolen data, and didn’t tell customers about it for more than a year. Steve Eckersley, ICO’s director of investigations, said in a statement, “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.” He added, “Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyberattack…Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”
