The U.K.’s Information Commissioner’s Office (ICO) announced a £385,000 fine ($491,284) against the ride-sharing company for “failing to protect customers’ personal information during a cyber attack” in October and November of 2016. The Dutch Data Protection Authority imposed its own €600,000 ($679,257) penalty for the same incident.
The 2016 cyberattack allowed hackers to access the personal details, including full names, email addresses and phone numbers, of 2.7 million Uber customers in the U.K. and 174,000 in the Netherlands, authorities said.
After hiding the incident for more than a year, Uber admitted last November that hackers stole data from 57 million users and drivers worldwide. The company also paid hackers $100,000 to delete the data and conceal the breach.
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” ICO Director of Investigations Steve Eckersley said. “At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”
The U.K.’s ICO said the cyberattack represented a “serious breach” of the country’s Data Protection Act of 1998 by exposing customers and drivers to increased risk of fraud. The Dutch regulator said it was fining Uber because it did not report the breach within the country’s mandated 72-hour window.
Because the cyberattack occurred in 2016, it was not subject to the European Union’s General Data Protection Regulation (GDPR) legislation that went into effect in May. The new rules could increase penalties for companies like Uber, with fines of up to 4 percent of global annual revenues or €20 million, whichever is bigger.