Uber has been fined £385,000 by the Information Commissioner’s Office.
The car-sharing service was fined after hackers were able to steal the data of 2.7 million UK customers in 2016.
The ICO has said that the data breach, which allowed hackers to steal customers full names, addresses and phone numbers, were “avoidable data security flaws”.
Steve Eckersley, who is the director of investigations at the ICO, said: “This was not only a serious failure of data security on Uber’s part but a complete disregard for the customers and drivers whose personal information was stolen.”
The ICO said: “Uber US did not follow the normal operation of its bug bounty programme. In this incident Uber US paid outside attackers who were fundamentally different from legitimate bug bounty recipients: instead of merely identifying a vulnerability and disclosing it responsibly, they maliciously exploited the vulnerability and intentionally acquired personal information relating to Uber users.”
The group was also fined by data regulators in Holland after the same hack affected customers in The Netherlands. Uber had been fined €600,000 (£532,000) by Holland authorities.
In the US, Uber paid a fine of $148 million.
Uber had paid the hackers $100,000 (£78,400) to destroy the data that was stolen.
The company said in a statement: “We’re pleased to close this chapter on the data incident from 2016. As we shared with European authorities during their investigations, we’ve made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since.”
“We’ve also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward. Earlier this year we hired our first chief privacy officer, data protection officer, and a new chief trust and security officer. We learn from our mistakes and continue our commitment to earn the trust of our users every day.”