Uber has been fined by both the UK and Dutch data protection regulators following a data breach in which the personal data of Uber users and drivers was downloaded by hackers. Uber did not inform either regulators or the relevant individuals after becoming aware of the incident, but instead paid $100,000 to the hackers to destroy the data. The UK’s ICO fined Uber £385,000 for breaching the seventh data protection principle under the UK’s Data Protection Act 1998 (“DPA 1998”). This requires firms to take appropriate technical and organisational measures against unauthorised or unlawful processing, or loss or destruction, of personal data. Uber were also fined €600,000 by the Autoriteit Persoonsgegevens, the Dutch Data Protection Authority, for failing to report the data breach to the Dutch authority within 72 hours.
In late 2016, hackers gained access to a cloud-based database maintained by Uber’s US entity and downloaded 16 files containing personal data of users and drivers worldwide. The files included the full name, mobile number and email address of 32 million Uber users as well as the “initial sign-up location” data and encrypted passwords for some of them. Once the files were downloaded, the attackers alerted Uber US to the incident and demanded a payment of at least $100,000 to reveal how they had accessed Uber’s cloud storage and to destroy the files they had downloaded. Uber paid the $100,000 and received assurances that the downloaded data had been destroyed.
The data breach was not initially reported by Uber. Regulators and the public were not aware of the breach until it was leaked to the press in November 2017, only a few months after Uber’s new CEO, Dara Khosrowshahi, had taken charge. That prompted regulatory investigations in a number of jurisdictions. In September 2018, the first fines were imposed in the US, an aggregate penalty of $148 million for all 50 states and the District of Columbia. This has now been followed by the first European fines.
The ICO’s penalty notice is notable for a number of points:
- The hackers were able to gain access to the database in which the personal data was stored, by using credentials found in another third party database, which Uber used as a coding repository. The hackers used a process of “credential stuffing” to access Uber’s account in this repository i.e. they obtained username and password pairs from other (non Uber) accounts and then injected those compromised credentials into websites until they matched with additional accounts. One of the reasons they were able to use this method to access the Uber repository was the lack of multi-factor authentication for employees to log into it, a common failing in businesses across all sectors. The ICO alighted on this specific failing as one of the reasons for concluding that the security arrangements were inadequate.
- Similarly, the ICO was critical that the credentials were stored in Uber’s repository in simple plain text without any code.
- Uber was not able to confirm definitively whether additional records were accessed beyond the downloaded 16 files. This is because Uber did not have a record of all information that it stored on the database at every point in time (and a significant period had elapsed between the breach and the ICO’s investigation). The ICO labelled that as “poor data protection practice”, but in reality not all firms will be backing up data continuously to enable them to recreate records in this way.
- The ICO’s approach to the payment of $100,000 to the attackers was interesting. The payment was made under Uber’s bug bounty programme. Many firms have programmes of this type where they pay individuals to identify and alert them to vulnerabilities in their systems. The ICO recognises the legitimacy of these programmes but here a payment was being made to actors who had not only identified a vulnerability, but then proceeded to exploit it and remove personal data. It may have been perceived more as ‘hush money’ to keep the incident quiet and avoid notification. The principle of making payments to hackers is common in other jurisdictions, particularly after ransomware attacks where firms take an expedient approach in order to re-secure access to their systems quickly. Whilst the penalty notice did not expressly condemn the practice of making payments to hackers, the tone suggests that the ICO is not supportive of it. It will be interesting to see if the ICO’s stance softens as ransomware attacks become increasingly common in the UK.
- The 72 hour notification requirement that now exists under the GDPR did not exist under UK law when the breach occurred. Nevertheless the ICO was strongly critical of Uber’s decision not to disclose the breach, either to the ICO or the relevant data subjects, and included this as aggravating factors in determining the fine. The fine itself was subject to the lower £500,000 cap as it was imposed under the old regime.
- The simultaneous publication of the UK and Dutch fines suggested a co-ordinated international approach to enforcement, at least in Europe. The ICO confirmed this in its press release, stating that the Dutch regulator was the lead member of an international task force which co-operated in investigating the effects of the incident in their respective jurisdictions. We expect that international coordination to continue, even post Brexit.