Ride-hailing service Uber has been slapped with more than £900,000 (~$1.149 million) in combined fines in the UK and The Netherlands for a breach into its database in 2016 affecting 57 million users worldwide. The company was accused of failing to protect the personal information of both its customers and drivers from a "series of avoidable data security" incidents that occurred from October to November 2016.
In the UK, Uber has been hit with £385,000 (~$492,000) in fines over the incident that exposed the personal data of about 2.7 million UK customers, including names, email addresses, and phone numbers, to hackers. These pieces of information were unlawfully accessed from Uber's cloud-based database run by its parent company in the U.S., according to the Information Commissioner’s Office (ICO).
Additionally, the stolen data included the amount received and trips made by nearly 82,000 UK drivers. These series of incidents were concealed from the affected individuals for over a year, according to the ICO, until the breach started hogging the headlines in November of last year. In an attempt to control the situation that time, Uber allegedly paid $100,000 to the hackers in exchange for the stolen data's destruction.
In the Netherlands, where the incident affected 174,000 Dutch citizens, Uber has received a penalty amounting to €600,000 (~$680,000) from the Dutch Data Protection Authority.
It's worth noting that the UK fine was issued based on the old Data Protection Act 1998, under which the maximum penalty for such violation is £500,000 (~$638,000). Under the new data protection law in Europe, the General Data Protection Regulation which took effect in May, the ICO could levy fines of up to £17 million (~$21.7 million) or 4% of a company's global turnover.