Uber France SAS (Uber France) is the latest Uber group company to receive a fine from its national regulator, the Commission Nationale de l’Information et des Libertés (the CNIL), following a serious security breach in 2016 that led to the unauthorised access and download of personal data relating to 57 million Uber drivers and customers from across the globe. The CNIL levied a fine of €400,000 on Uber France SAS on 20 December 2018.
Background: In November 2017, Uber revealed that it had suffered a major security breach a year earlier.
A taskforce was set up by the Article 29 Working Party (an advisory body made up of representatives from across Europe) to investigate the breach.
Uber’s responses to a questionnaire issued by the taskforce revealed that hackers had gained access to credentials stored in plain text on GitHub, a development platform used by Uber’s software engineers. Using those credentials, the hackers found an access key (also written in plain text) within a source code file, which the hackers used to access Uber servers and download the personal data.
Security measures: The CNIL found that the data breach would have been preventable, had Uber implemented appropriate basic security measures, such as:
- requiring its software engineers to use a stronger authentication method to connect to GitHub (for example, using a two step authentication process);
- not storing credentials that allowed access to the server in plain text within source code; and
- implementing an IP filtering system to access the servers containing its personal data.
All for one and one for all: The CNIL rejected an argument from Uber France that the CNIL could only impose a fine on the data controller (being, jointly, Uber entities established in the US and Denmark) and not a mere subsidiary of the data controller (i.e. Uber France).
The CNIL cited German case law, which stated that where a business has subsidiaries in various EU Member States, the data regulator in each Member State may exercise its powers in respect of each such subsidiary, even where the responsibility for collecting and processing personal data for the entire territory of the EU belongs to a group company in another territory.
To date, Uber entities based in the UK and Denmark have also received fines of £385,000 and €600,000 respectively in relation to the same breach.
Points to note: The CNIL’s reasoning in its decision to fine Uber France has provided a useful insight into what regulators may deem sufficient in terms of the appropriate security measures a company may be expected to take in order to protect personal data. It also sends a clear message regarding responsibilities in relation to personal data within a group of companies and highlights the fact that businesses with global establishments can be fined in relation to the same breach throughout multiple jurisdictions.
If your business requires advice in relation to its responsibilities under data protection law, please do not hesitate to contact a member of our Commercial Services team.