Last month Uber revealed that in 2016, hackers accessed the data of 57 million Uber users and drivers. The scale and alleged cover-up of the data breach has set off alarm bells across the globe and especially at data protection regulators. In Europe, the Article 29 Working Party (the EU data protection oversight body) has established a taskforce to help co-ordinate national investigations into the data breach.
Uber chose not to disclose the breach in 2016 and instead paid a ransom to hackers to delete the stolen data. Security experts have criticised Uber for paying the ransom as it demonstrates to hackers that big corporations are willing to pay out. More importantly, there is no guarantee the hackers actually deleted the data so copies may well leak in the future – hackers are not known for being upstanding, honest citizens.
In the UK, Uber has confirmed that the breach affected approximately 2.7 million user accounts and involved names, mobile phone numbers and email addresses. The Information Commissioner’s Officer (ICO) is working with the National Cyber Security Centre (NCSC) to investigate the scope of the breach.
While the reputational damage to Uber may be profound, at the forefront of its mind is the potential raft of data protection fines heading its way. Currently, under the Data Protection Act 1998, the ICO’s fining capability maxes out at £500,000, but the culmination of fines globally could spell a headache for the ride-sharing app.
With the General Data Protection Regulation (GDPR) due to come into force in a matter of months, the growing number of high-profile data breaches and the potentially significant fines under the GDPR is forcing organisations to rethink their data strategies.