ride-sharing company Uber with a total fine of $1,170,892 (~ 1.1
million) for failing to protect its customers’ personal information
during a 2016 cyber attack involving millions of users.
Late last year, Uber unveiled that the company had suffered a
massive data
breach[1] in October 2016,
exposing names, email addresses and phone numbers of 57 million
Uber riders and drivers along with driving license numbers of
around 600,000 drivers.
Besides this, it was also reported that instead of disclosing
the breach at the time, the company paid $100,000 in
ransom to the two hackers with access to the stolen data in
exchange for keeping the incident secret and deleting the
information.
[2]
Today Britain’s Information Commissioner’s Office (ICO) fined[3] Uber 385,000 pounds
($491,102), while the Dutch Data Protection Authority (Dutch DPA)
levied[4]
a 600,000 euro ($679,790) penalty on Uber for failing to protect
the personal information of its 3 million British and 174,000 Dutch
citizens, respectively.
“In 2016 a data breach occurred at the Uber concern in the form of
unauthorized access to personal data of customers and drivers. The
Uber concern is fined because it did not report the data breach to
the Dutch DPA and the data subjects within 72 hours after the
discovery of the breach,” the Dutch DPA says.
Uber’s cloud-based storage system using stuffing attack—”a process
by which compromised username and password pairs are injected into
websites until they are matched to an existing account”—a loophole
that could have been “avoided.”
“Uber US did not follow the normal operation of its bug bounty
programme. In this incident Uber US paid outside attackers who were
fundamentally different from legitimate bug bounty recipients:
instead of merely identifying a vulnerability and disclosing it
responsibly, they maliciously exploited the vulnerability and
intentionally acquired personal information relating to Uber
users,” the ICO states.
compromised by the incident were notified of the breach. Instead,
Uber started monitoring affected riders and drivers accounts for
fraud 12 months after the cyber attack, when the incident was made
public last year.
At the time, Uber notified regulatory authorities and offered
affected drivers free credit monitoring and identity theft
protection.
The company assured its users that other personal details, such
as trip location history, credit card numbers, bank account
numbers, Social Security numbers or dates of birth, were not
accessed in the attack.
Since the data breach happened before the EU’s General Data
Protection Regulation (GDPR) took effect in May 2018, the fine of
£385,000 imposed under the UK’s old Data Protection Act 1998 is
still lesser.
The penalty could have been much larger had it fallen under EU’s
General Data Protection Regulation (GDPR), wherein a company could
face a maximum fine of 17 million pounds or 4% of its annual global
revenue, whichever is higher, for such a privacy breach.
Last month, the UK’s data protection watchdog also imposed a
fine of £500,000 on
Facebook[5] for allowing political
consultancy firm Cambridge Analytica to gather and misuse data of
87 million users improperly.
In September, the ICO also issued the maximum allowed fine of £500,000 on
credit reporting agency Equifax for its last year’s massive
data breach that exposed personal and financial data of hundreds of
millions of its customers.
[6]
References
- ^
massive data breach
(thehackernews.com) - ^
paid $100,000 in ransom
(thehackernews.com) - ^
fined
(ico.org.uk) - ^
levied
(autoriteitpersoonsgegevens.nl) - ^
fine of £500,000 on Facebook
(thehackernews.com) - ^
fine of £500,000 on credit reporting
agency (thehackernews.com)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/hu0UAZzZPvs/uber-data-breach-fine.html