The Dutch Data Protection Authority (Dutch DPA) just announced it’s imposing a €600,000 fine on Uber and its Dutch subsidiary Uber B.V. for violating Dutch data breach regulation in 2016. Simultaneously, UK’s Information Commissioner‘s Office (ICO) declared Uber will be fined £385,000 (around €433,000) for the same data breach back in 2016.
Uber concealed the 2016 breach for over a year, in which hackers gained access to personal data of 57 million people worldwide, such as names, email addresses, and telephone numbers. The company thereby failed to comply with laws stating it must report data breaches to the authorities and the data subjects within 72 hours after the discovery of the breach.
Instead, the company paid the hackers $100,000 to delete the data and keep the breach quiet. The ICO said Uber had shown “complete disregard” for users and said the breach was cause by “avoidable data security flaws,” according to Sky News.
It’s still unclear whether the two privacy regulators worked together but the Dutch DPA and the ICO announced the Uber fines within moments of each other.
This isn’t the first time Uber has been fined for its 2016 data breach. Last September the ride-hailing giant was forced to pay $148 million in fines after a settlement in a case of all 50 states against the company.