Romania’s National Supervisory Authority for Personal Data Processing fined the ride sharing service Uber with RON 200,000 (EUR 43,000) for failing to notify the authority about a security incident that may have affected the personal data of some 30,000 local clients, Profit.ro reported.
Uber also failed to notify the affected clients about this incident, according to the authority. The company challenged the sanction.
The security incident, which affected the personal data of some 57 million Uber users worldwide, occurred in 2016 but was only announced by the company in November 2017. The company said at that time that there was no indication that the clients’ trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.
At the beginning of June, Uber sent an e-mail notification to all of its 30,000 users (passengers and drivers) in Romania affected by this incident.