Procurement · 24 November 2017

Uber data leak could have earned £17.75m fine under GDPR

Uber's Birmingham office
Uber’s Birmingham office | The Uber data leak initially occurred in October 2016

Following confirmation that on-demand taxi app Uber concealed a data breach affecting 57m of its users, legal experts have suggested the company would have faced the harshest penalties of incoming data protection rules in 2018.

It has now been confirmed by Uber that in October 2016, the company was targeted by hackers who accessed the names, email addresses and phone numbers of around 50m users and seven million drivers. The company is alleged to have then paid the hackers €100,000 to delete the data and keep the story out of the media.

Uber has yet to offer a market breakdown of the leak, but confirmed that UK and EU residents were among those affected.

Under the EU’s General Data Protection Regulation (GDPR), set for introduction on 25 May 2018, firms found to be in breach of the directive could face fines up to four per cent of annual global revenue or €20m (£17.75m), whichever is higher.

Still unaware of how GDPR will affect your business? Take a look at our GDPR content:

As the hackers were paid off by Uber, the company would have breached the mandatory 72-hour data breach notification to the Information Commissioner’s Office (ICO), the UK body responsible for consumer data privacy, and would likely face full enforcement.

Outlining how Uber’s loss of data would be handled after May next year, Dean Armstrong, cyber law barrister at Setfords Solicitors, said GDPR was “designed specifically to deal with such occurrences”, and that regulators were unlikely to look favourably on the company’s year-long cover up.

“As Uber hasn’t released its figures we can’t speculate as to the potential final cost of the fine but it is fair to say the regulator would come down hard and under the regulations, it would likely be in the tens of millions,” he said.

Whatever the potential fine could have been, Armstrong suggested Uber’s primary concern would be the reputational damage suffered, while the pay-off also set a dangerous precedent that would encourage hackers to target big firms.

“Uber has played a risky game here, not only concealing the hack but exacerbating the problem by paying off the hackers. This will simply encourage them further and result in more attempts to steal personal data from organisations.”

Crucially, although Uber’s breach occurred at the company’s California base, the fact that users across Europe were affected meant Uber would be liable to GDPR.

“The regulations will apply to any EU citizen’s data,” Armstrong explained.

“Assuming that at least some of the 50m records hacked were of EU citizens, then under the new rules GDPR would potentially see Uber punished under EU regulation.”

Detailing how the attackers reached user data, Terry Ray, CTO at cyber security firm Imperva, said the ease of which accounts were accessed should sound the alarm for all companies.

“The hack wasn’t sophisticated – the digital thieves broke into the accounts of two Uber engineers on Github, where they found the passwords to some online data storage that contained the personal info, according to the report,” Ray said.

Responding to the Uber leak, James Dipple-Johnstone, deputy commissioner at the ICO, said the Uber data leak raised “huge concerns” around the app’s data protection policies and ethics, but also warned that other firms covering up a data leak would see greater force of the law.

“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,” he said.

After GDPR is enacted in 2018, Simon Townsend, chief technologist at IT firm Ivanti, said “doing an Uber” would be unacceptable in the eyes of regulators.

Uber is currently recruiting for a new data protection officer.

With just six months to go, business organisations have warned that government silence on the new data protection bill has escalated fear and confusion among small business owners

Sign up to our newsletter to get the latest from Business Advice.


 
TAGS:

ABOUT THE EXPERT

Simon Caldwell is a reporter for Business Advice. He has a BA in politics and communications from the University of Liverpool, and previously worked as a content editor in the ecommerce industry.

Q&A

If you’ve found the article above useful, but have a more detailed and bespoke question, then please feel free to submit a query to our expert. We at Business Advice will get in contact with them on your behalf and arrange for a personalised response. These questions and answers will then be collated on the site for any other readers who have similar queries.

Ask a question

On the up