← All breach guides

Uber Data Breach — Exercise Your GDPR Rights

Uber suffered a major data breach in 2016 that exposed the personal data of 57 million riders and drivers — and then paid hackers to hide it. The cover-up was only revealed in 2017. EU residents can demand to know exactly what Uber still holds.

⚖️ Regulatory action: Uber was fined €290 million by the Dutch DPA (AP) in 2023 for illegally transferring EU driver data to the US.

What happened

2016 57 million users and drivers affected

Hackers accessed 57 million Uber accounts using stolen AWS credentials. Uber paid the attackers $100,000 to delete the data and keep the breach secret for over a year before disclosing it.

Data exposed:
  • Names
  • Email addresses
  • Phone numbers
  • Driver's licence numbers (600,000 drivers)
2022 Internal systems affected

A hacker compromised Uber's internal systems and accessed sensitive internal tools, Slack, email, and cloud storage. No customer passwords were confirmed stolen, but internal data was exposed.

Data exposed:
  • Internal tools
  • Employee data
  • Engineering systems

What you can do

Uber holds trip history, location data, payment information, and device identifiers. A GDPR access request reveals every journey logged, every device used, and how your data has been shared — all of which you have a right to see and to demand deletion of.

You have two key rights under GDPR:

Generate your access request

This letter is pre-addressed to Uber B.V., the official EU data controller for Uber.

To: Uber B.V.
Burgerweeshuispad 301, 1076 HR Amsterdam, Netherlands

Dear Data Protection Officer,

I am writing to exercise my rights under the General Data Protection Regulation (GDPR). As an individual whose personal data you process, I am requesting the following information:

  1. Confirmation that you are processing my personal data.
  2. A copy of my personal data.
  3. The purposes of the processing.
  4. The categories of personal data concerned.
  5. The recipients or categories of recipients to whom my personal data has been or will be disclosed.
  6. The envisaged period for which my personal data will be stored, or the criteria used to determine that period.
  7. The existence of my right to request rectification or erasure of my personal data, or restriction of processing, or to object to such processing.
  8. Information about the source of my personal data if it was not collected directly from me.
  9. The existence of automated decision-making, including profiling, and meaningful information about the logic involved.

Below is my information for your reference:

Name:
Email:
Address:

This request is of utmost importance to me and should not be ignored. The GDPR mandates that you respond within one month. Failure to comply may result in further action being taken.

Thank you for your prompt attention to this matter.

Sincerely,,

Text copied to clipboard

1. Copy and send this letter to the data controller of the organisation.

2. Follow up until you hear back. The GDPR requires a response within one month.

3. No response? Lodge a complaint with your local data protection authority.

No response after one month? File a complaint with your DPA →

Select your country to find your data protection authority:

Share: