Uber has been fined £385,000 for failing to protect customer information following a major data breach.
The taxi-hailing app was punished by the Information Commissioner's Office (ICO) after the breach, which saw the personal details of around 2.7 million UK customers put at risk back in October and November 2016.
Account details of 82,000 Uber drivers based in the UK, including their payments received and journey details, were also taken during the incident.
Uber has also been fined by the data protection authority in the Netherlands, the Autoriteit Persoonsgegevens, being ordered to pay €600,000 after 174,000 users in the country were also affected.
Uber data breach fine
Uber did not tell the customers or drivers affected about the incident for more than a year, instead paying the attackers responsible $100,000 to destroy the data that had been downloaded.
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen," said ICO Director of Investigations Steve Eckersley.
"At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”
Eckersley added that Uber paying the attackers but not disclosing this was not "an appropriate response" to the attack.
And although the company was not legally obligated to report the breach (which took place before GDPR came into force, so was covered by the older Data Protection Act 1998, the ICO noted that "Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”
- Want to ensure you stay private online? The best VPN services of 2018