Uber slapped with $1.2M in British, Dutch fines for 2016 hack

The ride-hailing company is still feeling the heat.

Sean Keane Former Senior Writer

Sean knows far too much about Marvel, DC and Star Wars, and poured this knowledge into recaps and explainers on CNET. He also worked on breaking news, with a passion for tech, video game and culture.

Expertise Culture, Video Games, Breaking News

See full bio

Sean Keane

Nov. 27, 2018 6:54 a.m. PT

2 min read

The Uber application seen displayed on a Sony smartphone — Uber was fined by the British and Dutch governments.
Guillaume Payen/SOPA Images/LightRocket via Getty Images

Uber was hit with a pair of fines by British and Dutch regulators Tuesday for its failure to protect customer data during a 2016 breach.

The UK Information Commissioner's Office (ICO) fined the ride-hailing service £385,000 ($490,760), and the Netherlands' Data Protection Authority imposed a 600,000 euro ($678,780) penalty.

In October 2016, hackers stole names, emails and driver's license numbers of 57 million drivers and riders in multiple countries by breaching Uber's system. Uber paid $100,000 to the data thieves to delete the information, which didn't include Social Security numbers of US citizens or credit card information.

Uber's Skyports are the gateway to on-demand air travel

+10 More

See all photos

It impacted 2.7 million British and 174,000 Dutch riders and drivers, according to the two governments.

"This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen," Steve Eckersley, ICO's director of investigations, said in a statement. "At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable."

Since the breach occurred prior to introduction of General Data Protection Regulation (GDPR) in May, both fines were issued under old legislation. GDPR, the EU law that gives citizens more control over their personal data, allows for a maximum fine of 20 million euros or 4 percent of a company's annual global revenue from the previous year, whichever is higher.

Watch this: Uber admits major data breach... 1 year late

01:28

"We're pleased to close this chapter on the data incident from 2016," an Uber spokesperson said in an emailed statement. "As we shared with European authorities during their investigations, we've made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since."

The company noted that it had hired its first chief privacy officer and data protection officer, as well as a new chief trust and security officer, since the hack took place.

In the US, Uber reached a settlement in September with all 50 states and the District of Columbia over the breach and agreed to pay a $148 million fine.

CNET's Holiday Gift Guide: The place to find the best tech gifts for 2018.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.