On Tuesday 21st November 2017, Uber admitted that it had failed to disclose a cyberattack that exposed the data of some 57 million combined drivers and passengers — and paid hackers to not release the stolen data.
The October 2016 attack saw hackers unlawfully access 57 million names, email addresses and mobile phone numbers. Within that number, 600,000 drivers – who in light of the recent Employment Appeal Tribunal decision qualify as workers in the UK rather than being self-employed, had their names and licence details exposed.
The 2016 breach was hidden by the ride-sharing firm which paid hackers $100,000 (£75,000) to delete the data. In January Uber was fined $20,000 for failing to disclose a considerably less serious breach which occurred in 2014.
According to Uber, there has been no evidence of fraud or misuse tied to the 2016 incident, and the affected accounts are being monitored and additional fraud protection measures have been put in place. However, the Information Commissioner's Office (ICO) has stated that Uber’s admission raises huge concerns around its data protection policies and ethics. James Dipple-Johnstone, deputy commissioner of the ICO emphasized that;
“It's always the company's responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed.”
A Higher Standard
The new Data Protection Bill which incorporates the General Data Protection Regulations 2016 (GDPR), means data protection obligations have become more stringent and businesses must be able to demonstrate compliance. Whilst this new Data Protection Bill is reflective of existing data protection laws, it is more onerous and gives the ICO greater enforcement powers.
Under the new Act, a notifiable breach, such as that which Uber has concealed, has to be reported to the ICO within 72 hours of the organisation becoming aware of it. Failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of the organisations global turnover.
Overall, the new Act includes more rights for individuals and provisions which promote accountability and governance with a view to minimising the occurrence of breaches such as that which Uber has concealed.
Concerns about corporate cybersecurity have intensified in the wake of high-profile hacks targeting organisations such as Uber, the NHS and TalkTalk. It is thus essential that appropriate security measures are put in place to ensure compliance with data protection principles.
If you require advice on data protection issues including the upcoming changes to the law, how to prepare, or are the subject of ICO investigation or enforcement action, please contact Andrew Swan or Sheila Ramshaw on 0191 232 0283 or at firstname.lastname@example.org and Sheila.Ramshaw@srflegal.co.uk respectively.