Uber fined by ICO over data hack

The personal details of around 2.7 million UK users, including full names, email addresses and phone numbers, were accessed in the attacks during October and November 2016.

The records of almost 82,000 UK drivers were also taken, including details of journeys made and fees paid.

According to the ICO’s investigation, a series of "avoidable data security flaws" allowed attackers to gain access to a cloud-based system operated by Uber’s US parent company. The regulator said the incident left customers and drivers exposed to "increased risk of fraud".

The hack affected 57 million Uber users and 600,000 drivers worldwide.

Uber did not disclose the data breaches until a year later and originally attempted to cover up the incident by paying the hackers $100,000 to destroy the stolen data. 

Steve Eckersley, director of investigations at the ICO, said: "This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable."

While there was no legal obligation for Uber to report data breaches under the previous data protection legislation, the company’s response to the cyber attack was not "appropriate", and was likely to have "compounded the distress of those affected," Eckersley added.