The Information Commissioner's Office is about to rake in and distribute a nice £385,000 from loss-making ride-hailing business Uber, as punishment for the data protection failings that led to its UK driver and customer data being hacked in 2016.
The massive breach saw the cloud-based servers storing details of 2.7 million Uber customers and 82,000 drivers compromised, with hackers acquiring the names, email addresses and phone numbers of app users, along with ride history and earnings data of drivers. The ICO says this was an entirely avoidable breach, with the servers accessed by "credential stuffing" login fields – using existing email and password pairs from Uber staff involved in other unrelated security breaches elsewhere on the datasphere, until one matched Uber's Amazon IAM ID account and the bad men in hooded tops got in.
What stuck another zero on the fine was the fact that Uber knew about the breach, sat on the embarrassing fact for a year and even tried to pay off the hackers to make it all go away, with the ICO's investigations directors Steve Eckersley explaining: "This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable."
Oh and the Dutch equivalent of the ICO has also fined Uber €600,000 (£530,000) for the same thing. Mere drops in the ocean of burning cash when it's already losing billions a year anyway. [ICO [PDF] via Sky News]