Fine issued for Uber cyber attack

A hefty fine has been issued over the 2016 Uber cyber attack as a result of security flaws that could have prevented the breach in the first place.

The data for some 2.7m Uber customers in the UK was compromised, as were the records for over 80,000 drivers. The fine, issued by the ICO (Information Commissioner’s Office), is small in comparison to potential GDPR fines. This is because the cyber attack took place in 2016 before the new rules came into force.

Had the cyber attack have happened this year, Uber could have faced fines in the millions.

How the Uber cyber attack happened

The Uber cyber attack through the use of a ‘credential stuffing’ attack. Hackers essentially entered username and password combinations into Uber’s cloud storage system until they got a match for an account.

With the use of strong passwords and defences that can prevent multiple access attempts, this would have been an easy attack to have prevented.

Data exposed in the Uber cyber attack

Data that was exposed in the Uber cyber attack for some 2.7m customers included their:

Names;
Addresses;
Email addresses;
Telephone numbers.

The personal records of around 82,000 drivers was also exposed in the attack. Their data that was compromised included information about how they were paid as well.

Punishments issued for the Uber cyber attack

The punishment issued in the UK for the Uber cyber attack is a fine of £385,000.00 under the old rules prior to GDPR. They have also been hit with fines in the US and elsewhere in Europe as well.

The ICO stated there were “avoidable data security flaws”. In a statement, they said:

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

Controversially, the company tried to pay the attackers off with a bribe which they later claimed was a prearranged security contract. Although companies do hire experts with the skills to hack their systems in efforts for financial rewards, known as “bug bounties”, the Uber cyber attack was not an example of this. An employee attempted to pass it off this way and was subsequently fired.

Can you claim compensation as a victim of the Uber cyber attack?

You may be able to claim compensation as a victim of the 2016 Uber cyber attack. It can depend on what data of yours was compromised, and how it has affected you.

It is two years on since the incident, so if you’ve yet to start a legal case, you should speak to our team as soon as you can.

Start Your Claim

You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to create a call back with one of our expert Data Claims team.

Create A Call Back

Information on how we handle your data is available in our Privacy Policy.

The content of this post/page was considered accurate at the time of the original posting and/or at the time of any posted revision. The content of this page may, therefore, be out of date. The information contained within this page does not constitute legal advice. Any reliance you place on the information contained within this page is done so at your own risk.