According to the Information Commissioner’s Office (ICO), a series of avoidable data security flaws allowed the personal details of around 2.7 million UK customers to be accessed and downloaded by attackers. The details included full names, email addresses and phone numbers.
The records of almost 82,000 drivers based in the UK – which included details of journeys made and how much they were paid – were also taken during the incident in October and November 2016.
However, the customers and drivers affected were not told about the incident for more than a year. Instead, Uber paid the attackers responsible $100,000 to destroy the data they had downloaded. Information about the attack was finally released in November last year.