Both British and Dutch regulators have fined Uber for data protection failings following a breach in 2016 that exposed the details of 57m customers and drivers.
The Information Commissioner’s Office (ICO) fined the company £385,000 while the Dutch Data Protection Authority imposed a penalty of €600,000.
An investigation by the ICO’s office into the data breach at Uber found evidence of “credential stuffing”.
The ICO said this is “a process by which compromised username and password pairs are injected into websites until they are matched to an existing account, was used to gain access to Uber’s data storage”.
“However, the customers and drivers affected were not told about the incident for more than a year,” it said. “Instead, Uber paid the attackers responsible $100,000 to destroy the data they had downloaded.”
ICO director of investigations Steve Eckersley said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.
“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.”