Britain's Information Commissioner's Office (ICO), issued the £385k penalty to the ride-sharing company for showing "complete disregard" for customers as well as 82,000 drivers whose records were stolen.
Uber was also fined €600,000 in the Netherlands by the Dutch data protection authority where 174,000 citizens were affected by the worldwide hacking incident.
Details of the 2016 hack, which affected 57 million Uber users worldwide, were first disclosed a year later - when it also emerged that the company paid the hackers $100,000 to delete the data rather than notifying the victims.
The ICO said a series of "avoidable data security flaws" had allowed customers' personal details to be accessed and downloaded from a cloud-based storage system operated by Uber in the US.
They included full names, email addresses and phone numbers.
Driver details - including journeys made and fares paid were also taken during the incident in October and November 2016.
The ICO said the hackers used a process known as "credential stuffing", in which compromised username and password pairs are entered into websites until they are matched to an existing account, to gain access to Uber's data storage.
The regulator said the incident had the potential to expose customers and drivers affected to increased risk of fraud.
ICO director of investigations Steve Eckersley said: "This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen’’.
"Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber-attack.