Uber was hit with a £385,000 fine after paying off hackers who stole the personal details of around 2.7 million UK customer without informing the victims about the incident.
The attackers accessed a cloud-based system storage system operated by Uber's parent company using "credential stuffing", a process of injecting compromised username and password pairs into websites until they find a match with an existing account.
They then downloaded full names, email addresses, phone numbers and other information from customers, as well as the records of almost 82,000 drivers, including details on the journies they'd made and the fairs they'd been paid. Uber paid the attackers $100,000 to destroy the data but didn't tell the affected customers and drivers for more than a year.
The £385,000 fine was determined based on the size of the breach, the sensitivity of the information stolen and the failure to notify the victims and regulators at the time.
Around 174,000 people in the Netherlands were also affected, leading the Dutch Data Protection Authority (DPA) to impose a separate €600,000 (£532,000) fine.