The Information Commissioner's Office (ICO) has fined ride-hailing app Uber £385,000 following a 2016 data breach that exposed the personal details of millions of customers in the UK.
More than 2.7 million users in the UK, along with 82,000 drivers, were affected by the incident, which saw hackers gain access to databases containing information such as full names, email addresses, phone numbers and records of journeys taken.
The ICO said this was the result of "a series of avoidable data security flaws" and had the potential to expose the victims to an increased risk of fraud.
Its investigation revealed that the hackers gained access to Uber's database through a process called credential stuffing. This involves injecting already-compromised username and password combinations into websites until they are matched with an existing account.
Uber was also criticised by the regulator for its response to the breach. Instead of notifying the individuals affected, the company paid the hackers $100,000 (£78,200) to destroy the stolen data and failed to inform users about the breach for more than a year.
Director of investigations at the ICO Steve Eckersley said: "This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable."
Mr Eckersley noted that although under the previous laws that were in force at the time of the breach, Uber had no legal obligation to report data breaches, its actions were "not … an appropriate response" to the attack.
The outcome may have been very different had the incident taken place after May this year, when the new GDPR rules came into force. As well as adding a requirement for firms to report data breaches within 48 hours of discovery, the rules also greatly increase the potential fines for incidents found to have been avoidable.
Chun Wong, partner at law firm Hodge Jones and Allen, told the Daily Telegraph: "Uber will consider themselves fortunate that higher fines brought in in May this year were not in force. The fine of £385,000 seems a small price to pay and will be of little comfort to those affected."
However, despite this, Uber has still paid a heavy price for the incident in the US, where it has already agreed to a £148 million payment to settle federal charges brought over the breach.