Uber's European operation has been fined £385,000 ($491,500) by the Information Commissioner's Office (ICO) for failing to notify customers that details of 35 million users had been stolen, after the company's servers were hacked in 2016.
As well as details of 35 million customers worldwide being stolen, with nearly 3 million UK users affected, 3.7 million Uber drivers' details were also exposed in the attack. This included the details of 82,000 Uber drivers in the UK.
The attackers breached the security of Uber's servers, located on Amazon Web Services Simple Storage Service, known as S3, and downloaded 16 large files containing the details of customers and drivers from around the world. The attackers gained access to Uber's S3 servers through credentials listed on a private GitHub repository owned and managed by GitHub which had previously been compromised.
The ride-sharing company has been through a tough time recently, culminating in founder Travis Kalanick leaving in 2017. (Image: Victor Xok, Unsplash)
The attack took place over a sustained period between October 13 and November 15, 2016, after which the attackers notified Uber of the security breach and demanded $100,000, in order to reveal how they had accessed the S3 servers, and implied they would not destroy the details until the money was paid in full. Uber's US division paid this, but crucially did not inform the relevant parties, and the affected users, of the attack, leading to the fine. Additionally, Uber US was fined $148 million earlier this year for the same reason.
ICO said that the fine was for Uber's inadequate information security -- the credentials for the S3 server on GitHub were in plaintext, and the GitHub repo did not need two-factor authentication in order to be accessed -- and the company's failure to disclose the attack to the public or the customers who had had their details stolen.
Uber has also been fined €600,000 (£532,000) by the Dutch data protection authority -- 174,000 Dutch citizens had their personal details stolen.
In response, Uber has made made two-factor authentication mandatory for access to private GitHub repos, and started rotating the credentials for the S3 servers in the private GitHub repo.
ICO commented: "Uber US did not follow the normal operation of its bug bounty programme. In this incident Uber US paid outside attackers who were fundamentally different from legitimate bug bounty recipients: instead of merely identifying a vulnerability and disclosing it responsibly, they maliciously exploited the vulnerability and intentionally acquired personal information relating to Uber users."
— Phil Oakley, Site Editor, TechX365