Uber was hit with a pair of fines by British and Dutch regulators Tuesday for its failure to protect customer data during a 2016 breach.
In October 2016, hackersin multiple countries by breaching Uber’s system. Uber paid $100,000 to the data thieves to delete the information, which didn’t include Social Security numbers of US citizens or credit card information.
It impacted 2.7 million British and 174,000 Dutch riders and drivers, according to the two governments.
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” Steve Eckersley, ICO’s director of investigations, said in a statement. “At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”
Since the breach occurred prior to introduction of(GDPR) in May, both fines were issued under old legislation. GDPR, the EU law that gives citizens more control over their personal data, allows for a maximum fine of 20 million euros or 4 percent of a company’s annual global revenue from the previous year, whichever is higher.
“We’re pleased to close this chapter on the data incident from 2016,” an Uber spokesperson said in an emailed statement. “As we shared with European authorities during their investigations, we’ve made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since.”
The company noted that it had hired its first chief privacy officer and data protection officer, as well as a new chief trust and security officer, since the hack took place.
In the US, Uberin September with all 50 states and the District of Columbia over the breach and agreed to pay a $148 million fine.
CNET’s Holiday Gift Guide: The place to find the best tech gifts for 2018.
CNET Magazine: Check out a sample of the stories in CNET’s newsstand edition.