Uber fined €400,000 in France over data breach

Out-Law News | 21 Dec 2018 | 12:14 pm | 1 min. read

Uber in France has been hit with a €400,000 fine by the country's data protection watchdog in response to a major data breach the company experienced in 2016.

The personal data of 57 million of Uber's customers around the world were compromised in a cyber attack which occurred in October and November 2016.

The Commission Nationale de l’information et des Liberties (CNIL) said 1.4 million customers of Uber France SAS were impacted by the breach and said it could have been prevented if the company had implemented "basic security measures".

The €400,000 fine is a record sanction for the CNIL, Paris-based data protection law expert Annabelle Richard of Pinsent Masons, the law firm behind Out-Law.com, said. Uber was fined £385,000 and €600,000 by the UK and Dutch data protection watchdogs respectively last month over the same breach. The Information Commissioner's Office (ICO) criticised Uber's decision to pay the hackers $100,000 to destroy the data they had stolen.

All the fines were issued under legislation pre-dating the application of the General Data Protection Regulation (GDPR), which took effect in May this year. Under the GDPR, businesses face potential fines of up to 4% of their annual global turnover, or €20m, whichever is highest, if they breach the Regulation.

Uber chief executive Dara Khosrowshahi issued a statement announcing the data breach in November 2017. Khosrowshahi said at the time that he had only "recently learned" of the breach, despite others in the company knowing about the incident and taking action to "secure the data and shut down further unauthorised access" by the hackers.

At the time, the company implemented new security measures to "restrict access to and strengthen controls on our cloud-based storage accounts", and the company also managed to identify the hackers concerned and "obtained assurances that the downloaded data had been destroyed", he said. Khosrowshahi also said two staff members who led Uber's response to the breach at the time were "no longer with the company".

Uber announced in September this year that it had reached an agreement with the attorneys general of all 50 states of the US and the District of Columbia to "resolve their legal inquiries" over the data breach. Uber paid $148 million as part of that settlement.