Penalty against Uber (NL)
In the fall of 2016, data from approximately 57 million customers were stolen, including approximately 174,000 Dutch. Uber concealed this incident and paid the attackers $ 100,000, – for assurances that the data will be deleted. The Dutch DPA imposed a fine of € 600,000 on the group as a result of the incident.
The incident occurred before the entry into force of the GDPR, so the fine was imposed under the Dutch Data Protection Act. As a result of this incident, the UK also imposed a fine of £ 500,000 on the company, which was the maximum penalty under the then UK Data Protection Act. France also imposed a fine of € 400,000.
Type of Issue:
Theft of Data
Number of involved data records:
Special category of data involved:
Violation of GDPR Paragraph:
25. Data protection by design and by default
32. Security of processing
33. Notification of a personal data breach to the supervisory authority
34. Communication of a personal data breach to the data subject