DPO.Business News and Blogs

Home ⛾ News Club Contact ☎

Contact us...

☎ +44 (0) 208 133 0242

Subscribe for monthly industry news:

27 November 2018

The UK ICO has fined Uber £385k after a cyber attack compromised the confidentiality of personal data they held. The Dutch equivalent also fined them £532k. A significant total of £917k.

This still doesn't provide any insight into the potential size of future GDPR fines, as this civil monetary penalty was issued under the Data Protection Act 1998, for a serious breach of principle 7 (Security). The attack itself happened all the way back in October/November 2016. It was reported to the media in November 2017, which is when the ICO became aware.

Would you approach security differently, if you knew this punishment was looming?

So what happened?

It appears that the US parent's cloud storage system was hacked, allowing attackers to download data about 2.7m UK customers (name, email address, phone number) and 82k drivers (journeys made and the cost). In the Netherlands (out of ICO scope) 174k citizens were affected.

The primary cause appears to be credential stuffing, where static usernames and passwords stolen from a previous breach (probably at another company) are tested on other companies' systems. Eventually, and unfortunately inevitably, they will find several websites where the same username and password has been used.

Many companies are now using Multi-Factor Authentication (MFA) specifically to mitigate this type of risk.

Staff training can also help. For example, just adding the first two letters of the website's name to the end of a password makes this type of attack much harder. As does regularly changing passwords, although this control can also create its own risks.

The ICO deem this type of attack as avoidable, so there's no excuses if you get compromised in the same way.

It appears that Uber paid the attackers $100k to destroy the data. Trusting crooks is unlikely to work out well in the long term...

The ICO said "Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack. Although there was no legal duty to report data breaches under the old legislation, Uber's poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected."

We think they could have done with data protection advisory services from DataGRC and the Data Sentinel online Data Protection training, Records Management and Compliance Assessment tools.

See the best data protection, privacy and security news...

181130 Marriott data breach - 500m customers
181126 ICO fines Uber £385k; Dutch fine them £532k
181029 Portugal fines hospital £400k
181026 DataGRC article for CILEX (lawyer regulator) - GDPR update
181025 BA security breach update 185k avios reward users
181025 Security Breach Cathay Pacific 9.5m Passengers
181024 ICO DPA'98 fines Facebook £500k
181022 High Court holds morrisons liable for data breach.
181009 ICO PECR fine Boost (findmeafuneralplan.com) £90k
181008 ICO DPA'98 fine HAL £120k
181002 ICO PECR unfine STS Commercial £60k
181001 ICO PECR fine Oaklands Assist £60k
181001 FCA fine Tesco Bank £16.4m
180928 ICO DPA'98 fine BUPA £175k
180928 ICO DPA'98 fine Equifax £500k
180907 British Airways data breach 380,000 customers
181030 DataGRC GDPR article for EyeForTravel - 3 tips for managing data breaches
180427 DataGRC article for CILEX (lawyer regulator) - GDPR overview
180322 DataGRC GDPR article for EyeForTravel - 10 practical recommendations

Add a comment or a question...

Articles made publically available on this website are general information and should never be mistaken for formal or legal advice. If you are seeking formal advice for your specific requirements, please contact our advisory team using the form above.