The Information Commissioner's Office (ICO) outlined its views on the operation of 'bug bounty' programmes in a new monetary penalty notice it has served on Uber.
The ICO fined Uber £385,000 for what it called a serious breach of UK data protection laws following its investigation into a data breach the company reported last year. That data breach, which occurred in October and November 2016, affected 57 million of Uber's customers around the world, including 2.7m customers in the UK. The ICO imposed its fine on Uber after identifying failings in the company's data security measures. The watchdog also criticised Uber's decision to pay the hackers $100,000 to destroy the data they had stolen.
"Uber US's decision to treat the incident as a bug bounty rather than a security breach demonstrates an inadequacy in its decision making when contacted by the attackers in November 2016," the ICO said.
"The [information] commissioner recognises that a bug bounty programme, such as that which Uber US operated at the relevant time, may be a legitimate practice for paying financial rewards in exchange for the responsible disclosure of security vulnerabilities. In this case, however, Uber US did not follow the normal operation of its bug bounty programme. In this incident Uber US paid outside attackers who were fundamentally different from legitimate bug bounty recipients: instead of merely identifying a vulnerability and disclosing it responsibly, they maliciously exploited the vulnerability and intentionally acquired personal information relating to Uber users," it said.
Cyber risk expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said the case is the latest example of a company being criticised for its failure properly to manage and respond to a data breach. He said the ICO's comments on bug bounty programmes also "highlights an issue which is not always clear cut".
"It is not unusual in an incident for a third party to highlight a security vulnerability and intimate that a bug bounty might be paid by the company concerned," Birdsey said. "The line between paying financial rewards in exchange for the responsible disclosure of security vulnerabilities on the one hand and maliciously exploiting a vulnerability and intentionally acquiring personal information relating to Uber users is not always as clear cut as the ICO might suggest. For example, attackers may refer to a specific file or database when disclosing security vulnerabilities."
Uber chief executive Dara Khosrowshahi issued a statement announcing the data breach in November 2017. Khosrowshahi said at the time that he had only "recently learned" of the breach, despite others in the company knowing about the incident and taking action to "secure the data and shut down further unauthorised access" by the hackers.
At the time, the company implemented new security measures to "restrict access to and strengthen controls on our cloud-based storage accounts", and the company also managed to identify the hackers concerned and "obtained assurances that the downloaded data had been destroyed", he said. Khosrowshahi also said two staff members who led Uber's response to the breach at the time were "no longer with the company".
ICO director of investigations Steve Eckersley said the company's delay in notifying people affected by the breach left those people "vulnerable" to potential fraud.
Eckersley said: "Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack. Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected."
The Autoriteit Persoonsgegevens, the data protection authority in the Netherlands, also announced on Tuesday that it had fined Uber over the incident. It said its €600,000 penalty was imposed because Uber had breached Dutch data breach rules. Those rules required the company to report the breach to the Dutch authority and data subjects within 72 hours of discovering the breach, the watchdog said. In total, 174,000 people in the Netherlands had their data compromised in the attack, it said.
Both the UK and Netherlands fines were issued under legislation pre-dating the application of the General Data Protection Regulation (GDPR), which took effect in May this year. Under the GDPR, businesses face potential fines of up to 4% of their annual global turnover, or €20m, whichever is highest, if they breach the Regulation.
Uber announced in September that it had reached an agreement with the attorneys general of all 50 states of the US and the District of Columbia to "resolve their legal inquiries" over the data breach. Uber paid $148 million as part of that settlement.