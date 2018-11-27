

LONDON (dpa-AFX) - Ride hailing service Uber has been fined $1.17 million by British and Dutch authorities for a data breach in 2016 that exposed the personal data of millions of customers.



The UK's Information Commissioner's Office or ICO said it has fined Uber 385,000 pounds, or $491,222, for failing to protect customers' personal information during the cyber attack in October and November 2016.



According to the ICO, 'a series of avoidable data security flaws' allowed the personal details of around 2.7 million UK customers to be accessed and downloaded by attackers.



The personal information that was exposed included full names, email addresses and phone numbers of customers and drivers.



The ICO noted that the records of almost 82,000 drivers based in the UK, including details of journeys made and the payment they received, were also taken during the incident.



The ICO's investigation found 'credential stuffing', a process by which compromised username and password pairs are injected into websites until they are matched to an existing account, was used to gain access to Uber's data storage.



The data protection watchdog noted that Uber did not tell about the incident to the affected customers and drivers for more than a year. Instead of reporting to the authorities about the breach, Uber paid the attackers responsible $100,000 to destroy the data they had downloaded and to cover up the breach.



Steve Eckersley, ICO Director of Investigations, said, 'This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support.'



In addition, the Dutch Data Protection Authority or Dutch DPA, the data protection authority for the Netherlands, imposed a fine of 600,000 euros, or $679,560, upon Uber for violating the Dutch data breach regulation. The agency noted that the data breach involved 174,000 Dutch citizens.



The Dutch regulator was the lead member of an international task force that included the ICO and which co-operated in investigating the effects of the incident in their respective jurisdictions.



