One by one, European countries are slapping Uber with a penalty for the way it handled its 2016 data breach. Today, France’s data protection watchdog, the CNIL, announced it was fining Uber $460,000 (€400,000).
This event was a combination of bad security with bad reaction and good timing. Back in 2016, Uber faced a data breach that affected 57 million users, including 1.4 million users in France.
According to the CNIL’s report, hackers managed to connect to Uber’s GitHub repositories using some employee’s login and password. They then managed to connect to Uber’s Amazon Web Services account and download user data.
How? Very simple. AWS login information was stored in plain text on GitHub.
The CNIL said that it could have been avoided if:
- Uber had made two-factor authentication mandatory for the private GitHub repositories.
- Uber didn’t store AWS login information in plain text on GitHub.
- Uber used an IP whitelist to connect to AWS.
Uber first tried to cover up the breach by paying hackers $100,000 to make them delete the data set. It eventually disclosed the breach last year.
The only good news for Uber is that the breach happened slightly too early for European Union’s GDPR. Right now, if a company doesn’t report a breach to relevant authorities within 72 hours, they can end up paying a fine of up to 4 percent of the company’s global annual turnover.
British and Dutch authorities previously fined Uber $490,000 and $690,000 respectively (£385,000 and €600,000). Overall, it represents $1.6 million in fines.