Following a data breach which exposed personal information of roughly three million European customers, Uber has been fined over £900,000 by Dutch and British authorities.
£900,000 does sound like a lot of cash, but let’s just put it into perspective for the moment. In the Netherlands, details of 174,000 customers and drivers were hacked, resulting in a €600,000 (roughly £532,000) fine, while the punishment for leaking details of 2.7 million customers and drivers in the UK was £385,000. In the US, where the exposure was admittedly significantly higher, Uber had to fork out $148 million. The numbers aren’t exactly consistent.
Uber should certainly consider itself lucky the incident occurred prior to the implementation of GDPR, though the fines simply demonstrate how important the new rules are in enforcing data protection requirements. Under today’s rules, Uber could have potentially been fined 3% of global annual turnover, and we suspect the fact it tried to cover up the incident meant it would have been held fully accountable.
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” said Information Commissioner’s Office Director of Investigations, Steve Eckersley. “At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.
“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber-attack. Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”
While many found the implementation of GDPR a nightmare, this is an incident which demonstrates why new data protection rules were completely necessary. In our opinion, Uber got off lightly considering the severity of the breach and subsequent efforts to cover up the hack with ‘hush-money’.
Once the breach was discovered, Uber tried to sweep the incident under the rug. Instead of reporting the breach to authorities, customers and drivers, $100,000 was paid to the hacker, with the promise the data would be deleted, it was downloaded from a cloud-based storage system operated by Uber’s US parent company, and the hacker would keep quiet. As with all of these incidents, the truth eventually emerged. Here, it took a full year.
In both the Dutch data protection authority’s and the ICO’s investigations it was found the breach could have been avoiding if basic and appropriate data protection protocols were followed. Under GDPR, Uber is obliged to inform the relevant data protection authorities within 72 hours of discovery, which can mean fines can be avoided. If a company co-operates and is able to demonstrate it has put in place acceptable protections, authorities will not punish in the strictest of terms.
This is an aspect of GDPR which we like. Rule makers have accepted there is no such thing as 100% secure, and has created a framework which has in-built sympathy for those cases which cannot be avoided. As long as a company is proactive and honest, authorities are willing to work alongside industry to make customers and employees more secure.
This is not an example of this perfect scenario however. Uber acted completely irresponsibly and is incredibly fortunate the incident occurred during a time when data protection rules and punishments were woefully outdated. The whole incident does leave two questions remaining however…
Firstly, how many more incidents have there been which have been swept under the carpet, as we can almost guarantee there will be a few, and secondly, will the EU hold the guilty parties fully accountable to GDPR punishments? We need to know whether authorities are prepared to swing the very sharp stick GDPR hands them.