France’s data protection agency had fined the ride-sharing company Uber with 400,000 euros ($455,000) over a 2016 data breach.
The data breach suffered by Uber in 2016 exposed the personal data of some 57 million clients and drivers worldwide.
In November 2017, the Uber CEO Dara Khosrowshahi announced that hackers broke into the company database and accessed the personal data (names, email addresses and cellphone numbers) of 57 million of its users, the disconcerting revelation was that the company covered up the hack for more than a year.
The attackers accessed also the names and driver’s license numbers of roughly 600,000 of its drivers in the United States.
The hack happened in 2016, it was easy for hackers that according to a report published by Bloomberg, obtained credentials from a private GitHub site used by the company development team. The hackers tried to blackmail Uber and demanded $100,000 from the company in exchange for avoiding publish the stolen data.
Rather than to notify the data breach to customers and law enforcement as is required by California’s data security breach notification law, the chief of information security Joe Sullivan ordered to pay the ransom and to cover the story destroying any evidence. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed.
According to the French Data Protection Authority, the company failed to adopt elementary security measures.
In September, Uber agreed to pay $148 million settlement with US States and the District of Columbia.
Uber was informed about the breach by the hackers themselves, and the firm paid them $100,000 to keep quiet about their exploit and destroy the data.
“After the incident and in the following years we made several technical improvements to our security,” said an Uber spokeswoman.
“We have also made important changes to our management to
(SecurityAffairs – hacking, 2016 data breach)