The Information Commissioner’s Office has fined Uber £385,000 over failing to protect its user data. Around 2.7 million UK customers had private information stolen by hackers in the attack.
The ICO says that Uber suffered a series of "avoidable data security flaws" which exposed customer data to be accessed and downloaded from Uber’s cloud-based storage. The data included full names, email addresses and phone numbers.
The attack worked by attacking Uber’s website. Using previously-compromised username and password pairs the hackers flooded the site until they found matches.
The hackers were then able to access Uber’s data storage, where they downloaded the data.
Hacks like this are a reminder to use different passwords for every site you use, but ultimately until literally everyone does that this sort of attack will be viable.
Uber failed to disclose the breach to customers and paid the hackers $100,000 to destroy the data.
It wasn’t just customers affected either, around 82,000 Uber drivers had their information downloaded, including how much they earnt through the app-based taxi company.
ICO Director of Investigations, Steve Eckersley, said “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen".
"At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”
The UK isn’t the only nation fining Uber, Dutch authorities also hit the firm using pre-GDPR legislation. Both Autoriteit Persoonsgegevens, the authority for the Netherlands and the ICO were involved in an international task force which investigated the data security failures.
Uber was also fined $148m earlier in the year by US authorities after failing to disclose the 2016 hack.
Source: Read Full Article