Uber fined £385k by ICO for 2016 hack

It has been reported that the ICO has imposed a fine of £385,000 on Uber for the 2016 breach. The fine comes courtesy of the Information Commissioner’s Office (ICO) which on Tuesday said that a “series of avoidable security flaws” allowed attackers to access the usernames, email addresses and phone numbers of around 2.7 million UK customers.


Commenting on the news are the following security professionals:


Tim Erlin, VP at Tripwire:


“The ICO has previously demonstrated a willingness to fine organizations in circumstances like this, though it remains unclear whether such fines make a material difference in the overall security across industries. While this incident pre-dates the GDPR, fines like these must now be viewed in light of the more expansive regulations that have come into force. It’s important to remember that GDPR isn’t the first regulation to address security and data privacy. GDPR is designed to harmonize and update a disparate set of regulations across the EU. While GDPR provides the framework for significant fines, they are maximums, not minimums. The actual fines levied will be situationally determined.”


Javvad Malik, security advocate at AlienVault: 


“The Uber fine shouldn’t come as a surprise to anyone that has been following the story. The company had inadequate protective and detective security controls. To make matters worse, the company tried to cover up the breach and paid money to keep things quiet, and in the process exposed its customers. While breaches are an unfortunate cost of doing business these days, it’s how a company acts in response that can make the difference between a large fine and a warning.”


Martin Jartelius, CSO at Outpost24:


“Taking into account the substantial impact of this breach and the way it was handled by Uber, this is also a good example of why GDPR is of importance to us all. We may not be protected from those recurring breaches, but customers and end users have a right to know when companies have failed to meet their obligation to protect our information.”