On Tuesday, top data protection cops from the UK and the Netherlands slapped Uber with some new penalties for its failure to notify users of a massive data breach in 2016.
A deal coordinated between all 50 states in September leveraged a $148 million fine against the ride-share company over its decision to cover up a data breach that exposed the personal information of 57 million users and drivers worldwide. According to CNBC, the U.K.’s Information Commissioner’s Office (ICO) joined in the penalty party, hitting Uber with a $491,284 fine (£385,000). The Dutch Data Protection Authority went further, assigning a $679,257 fine (€600,000) for Uber’s shady actions.
In late 2017, Uber was trying to shed its bad reputation and introduce its new CEO Dara Khosrowshahi. As part of the cleanup initiative, it admitted that hackers had accessed 57 million Uber riders’ and drivers’ information including email addresses, phone numbers, and drivers license numbers. That would be a black eye for any company, but Uber managed to dig itself even deeper by paying the 20-year-old hacker who was responsible for the breach $100,000 to delete the data and keep his mouth shut about it. In addition to admitting its failure to protect its users, Uber fired Joe Sullivan, its chief security officer, and Craig Clark, a lawyer who reported to him.
When asked for comment on the fines, an Uber spokesperson told Gizmodo:
We’re pleased to close this chapter on the data incident from 2016. As we shared with European authorities during their investigations, we’ve made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since. We’ve also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward. Earlier this year we hired our first chief privacy officer, data protection officer, and a new chief trust and security officer. We learn from our mistakes and continue our commitment to earn the trust of our users every day.
Today’s fines are tiny in comparison to the ones it agreed to pay in the United States. In fact, Khosrowshahi could probably throw the penalties on his AmEx considering his massive compensation package. But Uber is lucky the breach came before the European Union formalized its GDPR data regulations. Those regulations went into effect in May and a failure to disclose a breach could cost a company like Uber four percent of its global annual revenue. In 2016, Uber reported $6.5 billion in revenue—meaning its potential fine could’ve been more like $260 million were it operating in today’s legal climate when it decided to hide the breach.