Uber, the technology company that developed that now well-known ridesharing app, may be considering itself “lucky” to be the recipient of a £385,000 fine from the ICO (the UK’s privacy watchdog) this week. The fine related to a data security breach, which occurred back in 2016 for which US regulators had already fined Uber a total of $148 million. But those more eagle-eyed GDPR aficionados will have spotted that, with the breach occurring pre-25th May 2018, Uber avoided fines of up to 20 million euros or 4% of annual global turnover (whichever is the higher); and as a result could only have received the then maximum penalty, of £500,000.
So, could it have been a different story post-25th May 2018? Maybe not – it is estimated that whilst Uber racked up sales of $7.5bn last year, it posted losses of $4.5bn.
So just what happened back in 2016?
During October and November 2016, the full names, addresses and phone numbers of 2.7 million Uber customers were obtained by hackers. Additionally, hackers acquired information concerning nearly 82,000 drivers – this information included details of journeys undertaken by drivers and the costs of such journeys.
It later transpired that the hack had occurred as a result of an avoidable security flaw. Hackers had gained access to Uber’s cloud servers, which allowed them to download the personal details of its customers and drivers. As a result of the data security breach, the customers who were involved were exposed to an increased risk of becoming victims of fraud.
What compounded Uber’s error – and in what is seen by some as being in flagrant disregard for its customers – they failed to immediately inform data subjects that their personal details had indeed been compromised. That message only got to its customers over a year after the incident had taken place.
Not only did Uber fail to report the data breach to the ICO, they instead, offered the hackers a sum of money to convince them to destroy the data obtained.
What did the ICO take issue with?
The ICO was of the opinion that Uber’s conduct constituted a breach of one of the fundamental principles under data protection law – the requirement for organisations to have in place appropriate technical organisational measures to prevent such incidents from occurring (the Security Principle).
The ICO’s Director of Investigations, Steve Eckersley, stated that Uber’s conduct demonstrated a “serious failure of data security” and a “complete disregard” for those whose data had been accessed by hackers.
Eckersley further expressed that Uber’s decision to pay hackers and subsequently not report the incident was “not an appropriate response to the cyber-attack”.
What action has Uber taken to remedy the situation?
Critical in responding to any cyberattack, is how an organisation acts to remedy the situation and what steps it puts in place to prevent something like this from happening again. Uber has reported that, since the incident, it has changed its data handling procedures; and has now appointed a Chief Privacy Officer, a Data Protection Officer and a Chief Trust and Security Officer.
Further, Uber has reported it has taken action since the incident in terms of improving the security measures that it has in place, by making “a number of technical improvements to the security of (its) systems.” We probably won’t get to know about what those steps have been – as that may compromise the security measures!
What are the implications for your organisation and what should you do?
Although Uber were “only” fined £385,000, had the incident occurred after the GDPR came into force, it is possible that a much larger fine could have been imposed. As we highlighted earlier, for data security breaches occurring after May 2018, organisations face fines of up to 4% of global revenue or 20 million euros (whichever is higher). Therefore, your organisation should be aware of the possibility of increased fines for data security breaches.
Cyberattacks are a real business risk, regardless of your business size. Not sure where to start? Visit the UK Governments Cyber Essentials webpage where you will find lots of helpful information and guidance.
Having cyber security prevention measures in place are essential to defending your business; as are having internal protocols and procedures in place on how to react when the measures haven’t performed as you would have expected – which will mean your organisation will be able to react quicker and hopefully prevent the situation from deteriorating further and limiting loss; and of course training your staff to identify malicious emails and adopting simple good practices (such as password protection and encryption) will be critical.
In the event of any security breach, the ICO will place considerable weight on whether your organisation had adequate data security measures in place; and where any incident was “avoidable”. Where the ICO finds otherwise, your organisation is at risk of large fines.
