Uber, the UK, was hacked in 2016, resulting in data leaks from 3 million UK users. Uber was fined £ 385000. Let's see.
In November 2016, the attacker hacked into Uber cloud server and downloaded 16 large files, including the information of 35 million users around the world, such as the full name, phone number, email address of passengers and the place where they registered for the service.
Another 3.7 million Uber drivers were affected, including 82000 from the UK, whose weekly pay, travel summaries and even some drivers' license numbers were leaked.
ICO said that the reason for the hacker's invasion was due to the problem of Uber's information security work, and Uber US company not only failed to disclose the attack, but also met the hacker's requirements, paying the hacker $100000 as a 'vulnerability reward'. This kind of reward is very common in the field of security: if you find a company's security vulnerability before the system defect is attacked, and notify the company, the company will reward you.
The ICO wrote: 'Uber us did not follow the normal process of its vulnerability incentive program. In this incident, the external attacker who gets the money from Uber US company is essentially different from the legitimate vulnerability reward recipient: the latter will disclose the vulnerability responsibly, while the former maliciously uses the vulnerability to obtain the personal information of Uber users. '
The ICO said Uber did not tell any users that their data had been compromised. It was not until 12 months after the attack that the company began monitoring account fraud.
However, Uber was given a lighter punishment. First, Uber's European branch was not informed of the incident, so it was unable to report the incident to ICO. Second, there was no evidence that the leaked data had been abused.
In September, in the United States, Uber America was fined $148 million for failing to notify drivers of the data breach.
Uber said in a statement: 'we are happy to put an end to this event in 2016. During the investigation conducted by European institutions, we have shown that we have made continuous technical improvements in the security of Uber system after the invasion. We have also made major changes to our leadership to ensure proper transparency for regulators and users. Earlier this year, we hired the company's first Chief Privacy Officer, data protection officer, and a new chief trust and security officer. We learned from our mistakes and continued to work hard to win the trust of our users. '
As it happened in 2016, Uber was fined under the Data Protection Act 1998, which set a maximum fine of £ 500000. Under the general data protection act of 2018, Uber will be fined much higher, up to 4% of Uber's global revenue.