Slashdot Mirror
Uber Fined Nearly $1.2 Million By Dutch, UK Over 2016 Data Breach (cnbc.com)
British and Dutch authorities fined Uber a combined $1.17 million for a 2016 data breach that exposed the personal details of millions of customers. "The U.K.'s Information Commissioner's Office (ICO) announced a $491,284 fine against the ride-sharing company for 'failing to protect customers' personal information during a cyber attack' in October and November of 2016," reports CNBC. "The Dutch Data Protection Authority imposed its own $679,257 penalty for the same incident." From the report: The 2016 cyberattack allowed hackers to access the personal details, including full names, email addresses and phone numbers, of 2.7 million Uber customers in the U.K. and 174,000 in the Netherlands, authorities said. The U.K.'s ICO said the cyberattack represented a "serious breach" of the country's Data Protection Act of 1998 by exposing customers and drivers to increased risk of fraud. The Dutch regulator said it was fining Uber because it did not report the breach within the country's mandated 72-hour window.
In September, Uber agreed to pay $148 million to settle claims related to the 2016 data breach to states across the U.S. and Washington, D.C. In a statement Tuesday, an Uber spokesperson said the company is "pleased to close this chapter on the data incident from 2016."
In September, Uber agreed to pay $148 million to settle claims related to the 2016 data breach to states across the U.S. and Washington, D.C. In a statement Tuesday, an Uber spokesperson said the company is "pleased to close this chapter on the data incident from 2016."
Do you avoid using Uber because you expect them to expose customer data to the world or do you have different reasons? There will be other companies you do buy goods or services from. Do you expect them to expose your personal data to the world, or do you avoid doing business with anybody because you value your privacy?
European privacy legislation is an attempt to restrict companies and other organizations to use personal data only for the purposes for which you gave them that data, and to be transparent about it. The Dutch data protection officer over the years in most cases hasn't issued fines or penalties but warned organizations to get their act together. Fines and penalties are generally only used when they fail to do so. I'm not sure if this approach will change under the GDPR, but that is what I've seen so far.
Uber fucked up badly because they tried to cover up a serious breach. That is why they were fined.