The UK Information Commissioner's Office (ICO) has fined privately-owned ride-hailing app group Uber Technologies £385,000 for letting hackers steal data on 2.7mln UK customers.
The ICO said the 2016 cyber-attack – which saw full names, addresses and phone numbers of users stolen – happened because of "avoidable data security flaws”.
Uber has also been fined €600,000 (£532,000) by data regulators in the Netherlands over the same breach, which also affected 174,000 Dutch customers.
The records of almost 82,000 drivers based in the UK – which included details of journeys made and how much they were paid – were also taken during the incident in October and November 2016.
The ICO investigation found ‘credential stuffing’, a process by which compromised username and password pairs are injected into websites until they are matched to an existing account, was used to gain access to Uber’s data storage.
However, the customers and drivers affected were not told about the incident for more than a year. Instead, Uber paid the attackers responsible $100,000 to destroy the data they had downloaded.
Steve Eckersley, ICO Director of Investigations said: "This was not only a serious failure of data security on Uber's part but a complete disregard for the customers and drivers whose personal information was stolen.”
He added: “Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.
“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”
The details on the 2.7mln UK customers were part of a massive cache of information on 57mln people taken by the hacker group in October and November 2016.
Uber has paid $148mln to settle US Federal charges over the 2016 breach.