The United Kingdom’s Information Commissioner’s Office on Tuesday said it has fined the cab-hailing company Uber £3,85,000 (approximately Rs 3.47 crore) for failing to protect its customers’ data during a breach.

The authority said the breach, which occurred during October and November 2016, affected 2.7 million UK citizens. In all, the cyber attack had led to the theft of names, email addresses and cellphone numbers of 5.7 crore riders around the world.

The Information Commissioner’s Office described the breach, which allowed hackers to access and download personal details of customers from a cloud storage operated by Uber’s parent company in the United States, as avoidable.

The authority said details of journeys made by and payments to almost 82,000 drivers based in the country were also compromised. It claimed Uber paid the attackers to destroy the downloaded data, and failed to inform those affected about the incident for more than a year.

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” said Steve Eckersley, the authority’s director of investigations.

In September, Uber had reached an agreement with all 50 states as well as the District of Columbia in the United States to pay damages for failing to notify drivers about the 2016 data breach. The company had agreed to pay $140 million (approximately Rs 1,017 crore).

Uber’s other legal problems

Previously, Uber had agreed to pay $1.9 million (approximately Rs 13.28 crore) to settle sexual harassment claims of 56 current and former employees in the US. It had also agreed to pay nearly $11,000 (approximately Rs 7.6 lakh) to settle a class action case filed by 485 people for alleged discrimination at the workplace.