Uber has received a fine totalling £385,000 for a serious contravention of principle seven of the Data Protection Act 1998. Whilst this is under the old regime it is further evidence of the ICO's attitude towards technology companies and 'big data'.
It was found that security arrangements that were put in place by Uber US who were processing data on behalf of Uber did not prevent criminals from accessing and downloading personal data.
The names, email addresses and phone numbers of approximately 2.7 million UK customers and the records of around 82,000 UK drivers were all compromised. It was noted that Uber had since taken steps to ensure that this type of event does not happen again. It is also worth noting that there was no evidence that the personal data that was taken was in anyway misused.
There was some concern that Uber did not notify the ICO or the individuals when it became aware of the attach and did not take appropriate follow-up action until a significant amount of time later. Uber paid the attackers to destroy the data that they had taken. Naturally ICO considered that this was inappropriate.