Updated The UK’s data watchdog has slapped a £385,000 penalty on app-not-driving-service baddie Uber for security weak spots that attackers exploited to expose the details of millions of customers.
Two fiends accessed the data after snatching login credentials for Uber's AWS S3 data stores from the firm's GitHub code repo.
The hack, which Uber 'fessed up to in November 2017 but which actually happened 12 to 13 months earlier, saw ne'er-do-wells nab information on 57 million punters globally, including full names, email addresses and phone numbers.
The personal details of 2.7 million Brit punters were scooped up in the security skirmish, as were the records of roughly 82,000 drivers based in the UK that ranged from details of journeys made to payments taken.
Rather than admitting the hack affecting tens of millions of passengers customers, Uber's co-founder and former CEO Travis Kalanick decided it would be better to keep schtum and not go public with the mess. Instead, Uber paid off the hackers to the tune of $100,000 to destroy the downloaded data.
The latest CEO, Dara Khosrowshahi, installed in August 2017, questioned why customers caught up in the security snafu were not made aware of it earlier, and neither were US state or federal authorities.
ICO director of investigations Steve Eckersley, said:
"This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable."
"Paying attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response the cyber attack," he added.
There was no legal duty to report the breach under the Data Protection Act (DPA) 1998 but that has all changed when GDPR was introduced in May: now firms have 72 hours to inform the ICO or have a bloody good reason for not doing so.
The Dutch Data Protection Authority today imposed a fine of €600,000 on Uber B/V and Uber Technologies for flouting the local DPA. The hack hit 174,000 Dutch citizens.
Uber was forced to pay $148m to US state authorities to settle the 2016 breach, the largest penalty handed out by multiple states.
Updated 28 11.02 GMT
A spokeswoman at Uber sent us a statement:
"We’re pleased to close this chapter on the data incident from 2016. As we shared with European authorities during their investigations, we’ve made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since."
She added that this year Uber hired it first chief privacy officer, data protection officer, and a new chief trust and security officer, and said the company was learning from its "mistakes". ®