By Esmée Hardwick-Slack
Uber has agreed to pay $148m for the data breach that exposed the personal details of 57m users and 600,000 drivers in 2016, 2.7M of those affected were in the UK.
Last November the company revealed that a flaw in how the data was stored online had allowed hackers to access sensitive information including names, email addresses and phone numbers, as well as drivers’ licence numbers. The company paid the hackers behind the breach $100,000 to delete the data grabbed from Uber’s cloud servers. Chief executive at the time, Travis Kalanick, knew about the incident but the company did not disclose it until 12 months later.
Companies in the US are required to come clean about any and all data breaches as soon as possible so that customers can be on the lookout for fraud attempts. Uber have since admitted that they should have been more open about the attack and were wrong to cover it up. Two security official were fired for their handling of the incident.
California’s attorney general, Xavier Becerra, has called the scandal “a blatant violation of the public’s trust”.
“The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law”.
Uber’s chief legal officer, Tony West has said: “We know that earning the trust of our customers and the regulators we work with globally is no easy feat. After all, trust is hard to gain and easy to lose. We’ll continue to invest in protections to keep our customers and their data safe and secure, and we’re committed to maintaining a constructive and collaborative relationship with governments around the world.”
The UK’s Information Commissioner’s Office has said it is investigating the case.