British and Dutch authorities fined Uber $1.17 million on Tuesday for a large-scale data breach two years ago.
Uber paid the hackers responsible $100,000 to destroy the data, but didn't notify customers or drivers for more than a year, officials said.
"This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen," ICO Director of Investigations Steve Eckersley said. "At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable."
Because the breach happened in 2016, Uber was not subject to a new British law enacted in May, which would have penalized Uber with fines of up to 4 percent of its global revenues.
An Uber spokesperson said in a statement Tuesday the company is "pleased to close this chapter on the data incident from 2016."
"We've made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since," it said. "We've also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward."