A series of “avoidable data security flaws” allowed the personal details of around 2.7 million UK customers to be accessed and downloaded by attackers, the Information Commissioner’s Office (ICO) said.
This included full names, email addresses and phone numbers, exposing people to an “increased risk of fraud”.
The records of almost 82,000 UK drivers – including details of journeys made and how much they were paid – were also taken during the incident in October and November 2016.
ICO director of investigations Steve Eckersley said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen.
“At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”
Hackers obtained personal details of a total of 57 million Uber customers and drivers worldwide from a cloud-based storage system operated by the ride hailing app firm’s US parent company
Customers and drivers affected were only alerted when Uber made an announcement in November 2017.
Uber paid the attackers responsible 100,000 US dollars (£78,000) to destroy the data they had downloaded.
Mr Eckersley added: “Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.
“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”
Uber was also handed a separate 600,000-euro (£532,000) fine by the data protection authority in the Netherlands. The Autoriteit Persoonsgegevens said 174,000 Dutch citizens were affected by the hack.
In June, a judge granted Uber a short-term operating licence in London after its permit was initially not renewed over safety concerns.
The firm conceded it had made “serious mistakes” and Transport for London was correct in its renewal decision, but told an appeal hearing it had made “wholesale” reforms.