Uber was hit with a fine by U.K. and Dutch regulators on Tuesday (Nov. 27) for the data breach in 2016 that impacted millions of users.
According to a report in Reuters, citing the Information Commissioner’s Office (ICO) in the U.K., the ride-hailing company was fined $490,760. Meanwhile, the Dutch Data Protection Authority (DPA) fined Uber $678,780. The fines stem from a data breach in 2016 in which the names, mobile phone numbers and email addresses of 57 million users around the globe were compromised. Of those, 2.7 million users had accounts in the U.K., noted the report.
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” ICO Director of Investigations Steve Eckersley said in a statement. “At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”
The ICO noted in the statement that data on nearly 82,000 U.K. drivers was taken during the hack, with the bad guys getting away with detailed information on the trips drivers took and how much they were paid for them. The DPA said the hack impacted 174,000 people in the Netherlands, and that it would fine Uber for failing to report the breach within 72 hours of discovering it. Earlier this year, Uber agreed to pay California $148 million to resolve allegations that it knew about the breach for a year and paid hackers to keep it quiet.
This isn’t the first time Uber has raised the ire of U.K. regulators. The company has been dealing with licensing issues in London and is embroiled in a legal fight over the rights of U.K.-based drivers. Uber told Reuters that it changed its data practices since the hack in 2016 and brought on a chief privacy officer and data protection officer in 2018.
“We’re pleased to close this chapter on the data incident from 2016,” Uber said in a statement to Reuters. “As we shared with European authorities during their investigations, we’ve made a number of technical improvements to the security of our systems, both in the immediate wake of the incident as well as in the years since.”