Procurement · 24 November 2017

Uber data leak could have earned 17.75m fine under GDPR

Uber's Birmingham office
Uber’s Birmingham office | The Uber data leak initially occurred in October 2016
Following confirmation that on-demand taxI app Uber concealed a data breach affecting 57m of its users, legal experts have suggested the company would have faced theharshestpenalties of incoming data protectionrulesin 2018.

It has now been confirmed by Uber that in October 2016, the company was targeted by hackers who accessed the names, email addresses and phone numbers of around 50m users and seven million drivers. The company is alleged to have then paid the hackers 100, 000 to delete the data and keep the story out of the media.

Uber has yet to offer a market breakdown of the leak, but confirmed that UK and EU residents were among those affected.

Under the EU’s General Data Protection Regulation (GDPR), set for introduction on 25 May 2018, firms found to be in breach of the directive could face fines up tofour per cent of annual global revenue or 20m (£17.75m), whichever is higher.

Still unaware of how GDPR will affect your business? Take a look at our GDPR content:

As the hackers were paid off by Uber, the company would have breached the mandatory 72-hour data breach notification to the Information Commissioner’s Office (ICO), the UK body responsible for consumerdata privacy, and would likely face full enforcement.

Outlining how Uber’s loss of data would be handled after May next year, Dean Armstrong, cyber law barrister at Setfords Solicitors, said GDPR was designed specifically to deal with such occurrences, and that regulators were unlikely to look favourably on the company’s year-long cover up.

“As Uber hasn’t released its figures we can’t speculate as to the potential final cost of the fine but it is fair to say the regulator would come down hard and under the regulations, it would likely be in the tens of millions, ” he said.

Whatever the potential fine could have been, Armstrong suggested Uber’s primary concern would be the reputational damage suffered, while the pay-off also set a dangerous precedent that would encourage hackers to target big firms.

“Uber has played a risky game here, not only concealing the hack but exacerbating the problem by paying off the hackers. This will simply encourage them further and result in more attempts to steal personal data from organisations.

Crucially, although Uber’s breach occurred at the company’s California base, the fact that users across Europe were affected meant Uber would be liable to GDPR.

“The regulations will apply to any EU citizen’s data, Armstrong explained.

assuming that at least some of the 50m records hacked were of EU citizens, then under the new rules GDPR would potentially see Uber punished under EU regulation.”

Detailing how the attackers reached user data, Terry Ray, CTO at cyber security firm Imperva, said the ease of which accounts were accessed should sound the alarm for all companies.



Praseeda Nair is an impassioned advocate for women in leadership, and likes to profile business owners, advisors and experts in the field of entrepreneurship and management.