Uber Fined for Covering Up 2016 Data Breach

The time has come for Uber to pay the piper for the data breach two years ago that leaked the personal details of 57 million users and drivers as two data protection offices in Europe set fines that collectively amount to over 1 million euros.

Uber learned about the incident a month after it happened when the hackers made contact and demanded $100,000 to disclose how they got the data trove; they also said they would destroy the information the moment they got paid.

The company masked the ransom pay as a bug bounty reward and revealed the details to the public a year later and informed the affected individuals that two hackers had accessed at least their names, email addresses, and mobile phone numbers.

Disclosure delay sanctioned by European DPAs

Today, UK's Information Commissioner's Office (ICO) and its corresponding data protection authority in the Netherlands (Autoriteit Persoonsgegevens), announced their decision to fine Uber for the data compromise in October 2016. The penalties are £385,000 and €600.000, respectively.

According to ICO, the hack impacted about 2.7 million Uber users in the UK. To this, records of almost 82,000 drivers are added, which included details about the rides and payment received. For its part, the Dutch Data Protection Authority (DPA) reports that the breach leaked details of 174,000 Dutch citizens.

The one-year delay in reporting the incident to the impacted parties is the main reason for the fines. Pre-GDPR regulations from ICO and the Dutch DPA required such a data breach to be announced within 72 hours since the company becomes aware of it.

"The incident, a serious breach of principle seven of the Data Protection Act 1998, had the potential to expose the customers and drivers affected to increased risk of fraud," says ICO.

The watchdog in the Netherlands has the same motivation saying that the monetary sanction is because Uber "did not report the data breach to the Dutch DPA and the data subjects within 72 hours after the discovery of the breach."

Hackers used credential stuffing to access sensitive files

The attackers were able to steal the data by gaining illegal access to Uber's Simple Storage Service (S3) buckets from Amazon Web Services and downloaded a total of 16 files

This was possible through credential stuffing, ICO says in its penalty notice to the company.

As a result of its inquiries, UK's ICO believes that the hackers obtained the S3 access credentials from a private GitHub repository belonging to Uber US. They logged into the GitHub account with a username and password collected from a previous data breach. The method is called 'credential stuffing' and exploits the bad practice of recycling the same password for other online accounts.

This method yielded great results as the hackers were able to identify GitHub accounts of 12 Uber employees in the US.

It is worth mentioning that the time of the breach helps Uber get away with a slap on the wrist. As per the General Data Protection Regulation that applies across the European Union, the company could incur financial penalties of up to 20 million euros, or 4% of the global turnover.