Monday 15 October 2018

Uber set to escape Irish fines after worldwide data breach

The Uber data breach occurred in October 2016 Photo: REUTERS/Tyrone Siu
The Uber data breach occurred in October 2016 Photo: REUTERS/Tyrone Siu
Adrian Weckler

Adrian Weckler

Ireland's data regulator will not take any immediate action against the taxi-hailing service Uber despite the online giant admitting a massive data breach affecting 57 million people worldwide.

"The Data Protection Commissioner [DPC] understands that the data controller for non-US individuals' personal data collected by Uber is located in the Netherlands," said a spokesman for the data boss in Dublin.

"However, the DPC is continuing to examine the circumstances of the breach, in terms of how the breach could impact individuals in Ireland and also in terms of how any services that are provided by Uber from Ireland could potentially include the processing of personal data."

Uber has a facility in Limerick with hundreds of staff. Its service is active in Ireland, although it is limited to licensed taxis instead of private vehicles.

The company has admitted it covered up a data breach a year ago that affected 57 million passengers, exposing their phone numbers, email addresses and other sensitive personal information.

The company also admitted it paid the hackers responsible for the data breach $100,000 (€84,790) not to disclose the data breach to authorities.

An upcoming European data law would see Uber facing fines of €20m, or 4pc of annual turnover, for the data breach.

However, one Irish data privacy expert believes Uber will face a fine of up to €10m in the Netherlands.

"The fact that Uber paid off the hackers to keep quiet demonstrates bad faith and will almost certainly result in the maximum fine under current law or in future under the GDPR (General Data Protection Regulation)," said Daragh O'Brien, chief executive of Castlebridge Associates.

"I think we could see the first GDPR-style enforcement action on this matter with Uber."

Stolen

The stolen information included names, email addresses and mobile phone numbers of Uber users around the world, and the names and licence numbers of 600,000 drivers.

The breach occurred in October 2016 but newly appointed chief executive Dara Khosrowshahi said he only found out about it recently.

There was no evidence of fraud against passengers as a result of the data breach, while drivers whose licence numbers were stolen were being offered free identity-theft protection and credit monitoring, Uber said.

But Irish Uber customers have been advised to change their passwords.

"Make sure they're not the same as for other websites or online services," said Dermot Williams, head of cyber security firm Threatscape.

Irish Independent

Business Newsletter

Read the leading stories from the world of Business.

Also in Business