British and Dutch authorities fined Uber 1 million euros for violating customer data in 2016


Uber is a US technology company that develops and operates mobile applications to connect users to drivers conducting transportation services. The company just copied a fine of more than 900,000 for a data breach in 2016 that affected customer data. The Office of the Information Commissioner, the Information Commissioner's Office (ICO), a UK public body that defends the right to information in the public interest, promoting transparency of public bodies and protection of personal data, condemned Uber fine of 385,000, or about 434,000 for failing to adequately protect the personal information of its customers during a cyber attack.

At the same time, the Dutch Data Protection Authority (DPA), the Data Protection Authority of the Netherlands, which is the data protection authority of the Netherlands, also fined Uber 600,000 for violating Dutch law. protection. In total, the Californian company has a police officer with a fine of about one million euros. Recalling that, at the end of November 2017, VTC CEO Dara Khosrowshahi reported that two hackers stole personal data from Uber Technologies' 57 million customers and drivers. is that this data breach was known to his security chief, Joe Sullivan, and one of his assistants, Craig Clark, since 2016.

To cover certain actions, the latter ignored these facts and made a $ 100,000 payment to hackers asking them to erase the data in their possession. After investigating the case, Reuters reported that one of the two hackers involved in the theft of data would be a 20-year-old man who received the amount indicated ($ 100,000) as a reward given by the bounty reward program. organized by the company. A Reuters source described the hacker as living with his mother in a small house trying to help pay the bills. Reuters adds that members of Uber's security team did not want to prosecute someone who did not appear to pose a real threat.

The CEO assured that at the time of the incident, Uber took immediate steps to protect the data and terminate unauthorized access by individuals. She then identified the individuals and obtained assurances that the downloaded data had been destroyed. It then implemented security measures to restrict access to and control of cloud-based storage accounts. The compromised data included names and license numbers of 600,000 drivers. Uber's decision to conceal the violation was a flagrant violation of public trust, said California Attorney General Xavier Becerra in a statement. The company was unable to protect user data and inform authorities when they were exposed. he added.

The transport company, which wants to recover the trust of customers and drivers and re-create its image, collaborates fully with the research. The company has decided to pay $ 148 million, which will be distributed among the 50 states and the District of Columbia. Tony West, legal director of Uber, said the company recently hired a privacy officer and a security officer. We know that gaining the trust of our customers and the regulators we work with globally is not an easy task. After all, trust is hard to beat and easy to lose, West said.

This is not only a serious breach of Uber's data protection, but also a total disregard for customers and drivers whose personal data has been stolen, says Steve Eckersley, ICO's Director of Investigations, quoted in a statement. At the time, no action was taken to alert anyone concerned about the facts or offer help and support, he added. LICO said data from nearly 82,000 low drivers in Britain were conducted in October and November 2016. The Dutch authorities reported 174,000 people affected by the incident. In a statement, Uber said he was pleased with the closure of this chapter on the data incident of 2016.

Paying off the attackers and then keeping this topic a secret was not, in our view, an appropriate response to the cyber attack, Eckersley said. The Data Protection Act (DPA) of 1998 had no legal obligation, but everything has changed since the RGPD came into force last May. Companies have 72 hours to inform ICO or have a valid reason not to do so. The two fines thus limited are those authorized by the Data Protection Act 1998. If the security incident occurred after the entry into force of the GDPR, the fines could have been much higher.

Sources: DPA, ICO

Is that you

What do you think?

See too

Uber: 2016 Data hacking allegedly committed by a 20-year-old hacker pays $ 100,000 as a bonus bounty bonus for his silence

Uber was a victim of massive hacking in 2016 and preferred to pay 100,000 hackers for cluttering the case

Uber to pay $ 148 million for data breach investigation for hiding unauthorized access to the public


Source link