Did Uber skip more than a taxi line with its latest fine?

Uber, the technology company that developed that now well-known ridesharing app, may be considering itself “lucky” to be the recipient of a £385,000 fine from the ICO (the UK’s privacy watchdog) this week. The fine related to a data security breach, which occurred back in 2016 for which US regulators had already fined Uber a total of $148 million. But those more eagle-eyed GDPR aficionados will have spotted that, with the breach occurring pre-25th May 2018, Uber avoided fines of up to 20 million euros or 4% of annual global turnover (whichever is the higher); and as a result could only have received the then maximum penalty, of £500,000.

So, could it have been a different story post-25th May 2018? Maybe not – it is estimated that whilst Uber racked up sales of $7.5bn last year, it posted losses of $4.5bn.

So just what happened back in 2016?

During October and November 2016, the full names, addresses and phone numbers of 2.7 million Uber customers were obtained by hackers. Additionally, hackers acquired information concerning nearly 82,000 drivers – this information included details of journeys undertaken by drivers and the costs of such journeys.

It later transpired that the hack had occurred as a result of an avoidable security flaw. Hackers had gained access to Uber’s cloud servers, which allowed them to download the personal details of its customers and drivers. As a result of the data security breach, the customers who were involved were exposed to an increased risk of becoming victims of fraud.

What compounded Uber’s error – and in what is seen by some as being in flagrant disregard for its customers – they failed to immediately inform data subjects that their personal details had indeed been compromised. That message only got to its customers over a year after the incident had taken place.

Not only did Uber fail to report the data breach to the ICO, they instead, offered the hackers a sum of money to convince them to destroy the data obtained.

What did the ICO take issue with?

The ICO was of the opinion that Uber’s conduct constituted a breach of one of the fundamental principles under data protection law – the requirement for organisations to have in place appropriate technical organisational measures to prevent such incidents from occurring (the Security Principle).

The ICO’s Director of Investigations, Steve Eckersley, stated that Uber’s conduct demonstrated a “serious failure of data security” and a “complete disregard” for those whose data had been accessed by hackers.

Eckersley further expressed that Uber’s decision to pay hackers and subsequently not report the incident was “not an appropriate response to the cyber-attack”.
What action has Uber taken to remedy the situation?

Critical in responding to any cyberattack, is how an organisation acts to remedy the situation and what steps it puts in place to prevent something like this from happening again. Uber has reported that, since the incident, it has changed its data handling procedures; and has now appointed a Chief Privacy Officer, a Data Protection Officer and a Chief Trust and Security Officer.

Further, Uber has reported it has taken action since the incident in terms of improving the security measures that it has in place, by making “a number of technical improvements to the security of (its) systems.” We probably won’t get to know about what those steps have been – as that may compromise the security measures!

What are the implications for your organisation and what should you do?

Although Uber were “only” fined £385,000, had the incident occurred after the GDPR came into force, it is possible that a much larger fine could have been imposed. As we highlighted earlier, for data security breaches occurring after May 2018, organisations face fines of up to 4% of global revenue or 20 million euros (whichever is higher). Therefore, your organisation should be aware of the possibility of increased fines for data security breaches.

Cyberattacks are a real business risk, regardless of your business size. Not sure where to start? Visit the UK Governments Cyber Essentials webpage where you will find lots of helpful information and guidance.

Having cyber security prevention measures in place are essential to defending your business; as are having internal protocols and procedures in place on how to react when the measures haven’t performed as you would have expected – which will mean your organisation will be able to react quicker and hopefully prevent the situation from deteriorating further and limiting loss; and of course training your staff to identify malicious emails and adopting simple good practices (such as password protection and encryption) will be critical.

In the event of any security breach, the ICO will place considerable weight on whether your organisation had adequate data security measures in place; and where any incident was “avoidable”. Where the ICO finds otherwise, your organisation is at risk of large fines.

Latest updates from @MacRoberts

  • MacRoberts is recruiting! We currently have a vacancy for a Senior solicitor/associate to join our Private Client… https://t.co/nTGY8Irf5S 9 hours ago
  • This week on our new IGTV mini-series, giving an insight into what it’s like to begin a legal career during the pan… https://t.co/giTipHUGgd 23/06/2021
  • Would you like to work at one of Scotland’s leading law firms? We currently have a number of opportunities availabl… https://t.co/atxn5NHzLj 21/06/2021
  • We currently have a vacancy for a Customer Due Diligence Administrator based in Glasgow or Edinburgh. Please shar… https://t.co/IXsvMkBnYa 18/06/2021
  • Maya Forstater received a lot of media attention around her tweets relating to her beliefs about sex, resulting in… https://t.co/VbDAGhzAqX 18/06/2021
  • Applications for our traineeships starting in 2023 are now open! Get your legal career off to the best possible sta… https://t.co/nx3WmygTTM 18/06/2021
  • RT @DundeeAndAngus: Leading Scottish commercial law firm, @MacRoberts has advised BAM on the ‘game-changing’ Atlantic Square development in… 16/06/2021
  • This week on our new IGTV mini-series, giving an insight into what it’s like to begin a legal career during the pan… https://t.co/tqSQy4tRqG 16/06/2021
  • Self-employed status: What does the Uber case really mean? 🚖 Kenny Scott explains what the recent ruling means for… https://t.co/SIt6iBNYPx 16/06/2021
  • What is the Scottish #gin industry doing to improve #sustainability? Following #WorldGinDay celebrations over the w… https://t.co/P4d0oPh54U 15/06/2021
  • The European Commission has adopted & published versions of two new sets of Standard Contractual Clauses. What ch… https://t.co/c8nMQEo6uk 15/06/2021
  • What impact could Ireland High Court's decision to reject an action by Facebook to block an inquiry by the Irish… https://t.co/leiseQnxYe 14/06/2021
  • Wishing all of our followers a happy #WorldGinDay! ICYMI: Earlier this week, we were delighted to catch up with… https://t.co/OJ85qOwAhN 12/06/2021
  • We're #hiring! We have a #vacancy for a Senior #Solicitor or Associate to join our IP, Technology & Commercial team… https://t.co/YWbpcD0eFD 10/06/2021
  • Dealing with an employee's misconduct when that employee contends it is linked to a disability can be tricky - read… https://t.co/Gy1dLbrwPk 09/06/2021