A hefty fine has been issued over the 2016 Uber cyber attack as a result of security flaws that could have prevented the breach in the first place.
The data for some 2.7m Uber customers in the UK was compromised, as were the records for over 80,000 drivers. The fine, issued by the ICO (Information Commissioner’s Office), is small in comparison to potential GDPR fines. This is because the cyber attack took place in 2016 before the new rules came into force.
Had the cyber attack have happened this year, Uber could have faced fines in the millions.
How the Uber cyber attack happened
The Uber cyber attack through the use of a ‘credential stuffing’ attack. Hackers essentially entered username and password combinations into Uber’s cloud storage system until they got a match for an account.
With the use of strong passwords and defences that can prevent multiple access attempts, this would have been an easy attack to have prevented.
Data exposed in the Uber cyber attack
Data that was exposed in the Uber cyber attack for some 2.7m customers included their:
- Names;
- Addresses;
- Email addresses;
- Telephone numbers.
The personal records of around 82,000 drivers was also exposed in the attack. Their data that was compromised included information about how they were paid as well.
Punishments issued for the Uber cyber attack
The punishment issued in the UK for the Uber cyber attack is a fine of £385,000.00 under the old rules prior to GDPR. They have also been hit with fines in the US and elsewhere in Europe as well.
The ICO stated there were “avoidable data security flaws”. In a statement, they said:
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”
Controversially, the company tried to pay the attackers off with a bribe which they later claimed was a prearranged security contract. Although companies do hire experts with the skills to hack their systems in efforts for financial rewards, known as “bug bounties”, the Uber cyber attack was not an example of this. An employee attempted to pass it off this way and was subsequently fired.
Can you claim compensation as a victim of the Uber cyber attack?
You may be able to claim compensation as a victim of the 2016 Uber cyber attack. It can depend on what data of yours was compromised, and how it has affected you.
It is two years on since the incident, so if you’ve yet to start a legal case, you should speak to our team as soon as you can.