Uber drew the wrath of users and regulators after the company waited a year before revealing in November 2017 that hackers had infiltrated its systems.
The French Data Protection Authority said the breach would have been prevented “if certain elementary security measures had been in place.”
Uber has already paid $148 million to US authorities to avoid a potentially embarrassing court case, and vowed to improve its security efforts.
Last month, the Netherlands imposed a 600,000-euro fine over the breach and Britain ordered Uber to pay 385,000 pounds ($490,000).
The company, which is widely expected to launch a public stock offering next year, has been trying to burnish its reputation after a series of scandals over executive misconduct and its competitive practices.
Uber was informed about the breach by the hackers themselves, and the firm paid them $100,000 to keep quiet about their exploit and destroy the data.
The company said it has learnt lessons from its mistakes in the incident and has hired top-notch security experts.
“After the incident and in the following years we made several technical improvements to our security,” an Uber spokeswoman said Thursday.
“We have also made important changes to our management to insure transparency with regulatory authorities and clients,” she added.