Uber has been slapped with a €400,000 fine by the French data protection agency for the hack that exposed the data of 57 million users.
The hack happened in 2016, but the firm hushed it up for more than 12 months, even paying the hackers $100,000 to keep quiet about the incident.
The attackers stole login credentials for Uber's AWS S3 data stores from the firm's GitHub code repo in order to make off with info on customers' and drivers' email addresses, names, city and phone numbers.
Of the 57 million people affected, some 1.4 million were in France, with most of these (1.2 million) being customers.
The French data watchdog CNIL said that the attack wouldn't have succeeded if the firm had put "basic security measures" in place.
Uber has said that multi-factor authentication isn't mandatory on GitHub, but in a statement on the decision, the CNIL said the firm should have used strong authentication measures for access.
Uber to dole out $148m settlement among US states over breach it paid $100k to bury
Moreover, Uber shouldn't have stored login IDs unencrypted on GitHub, the agency said, and it should have set up a system based on IP addresses to protect access to the S3 bucket.
"When employees are made to connect remotely to the servers used by a company, securing this connection is a basic precaution to preserve the confidentiality of data processed," the (translated) decision said.
"This security can, for example, be based at least on setting up an IP address filtering measure so that only requests originating from identified IP addresses can be executed, which makes it possible to avoid any illegal connection, by securing data exchange and authenticating users."
Even if establishing such a system involved a long development process, this was a necessary effort that should have been planned from the outset, given the very large number of people's data kept on the servers.
The CNIL concluded that Uber was "negligent in failing to implement some basic security measures" and that this "widespread lack of caution" was evident in the success of the hackers.
As such, it handed the French arm of the ride-hailing service a fine of €400,000.
This follows a £385,000 penalty from the UK watchdog and a €600,000 fine from the Dutch authority. ®