Uber has been fined £385,000 by the Information Commissioner’s Office (ICO) for failing to protect customers’ personal information during a cyber attack.
A series of “avoidable data security flaws” allowed the personal details of around 2.7 million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company, the ICO said in a statement.
This included full names, email addresses and phone numbers.
The records of almost 82,000 drivers based in the UK, which included details of journeys made and how much they were paid, were also taken during the incident in October and November 2016.
Customers and drivers affected were not told about what had happened for more than a year.
ICO director of investigations Steve Eckersley said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”