Uber has interfered with the privacy of an estimated 1.2 million Australians, according to the Australian Information Commissioner and Privacy Commissioner Angelene Falk.
Commissioner Falk said that following detailed investigations into US-based Uber Technologies Inc and Dutch-based Uber B.V., she found the companies failed to appropriately protect the personal data of Australian customers and drivers, which was accessed in a cyber attack in October and November 2016.
“While Uber required the attackers to destroy the data and there was no evidence of further misuse, the investigation by the Office of the Australian Information Commissioner (OAIC) focused on whether Uber had preventative measures in place to protect Australians’ data,” Commissioner Falk said.
“The Uber companies breached the Privacy Act 1988 by not taking reasonable steps to protect Australians’ personal information from unauthorised access and to destroy or de-identify the data as required,” she said.
“They also failed to take reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles.”
Commissioner Falk said that instead of disclosing the breach “responsibly”, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability.
The Commissioner said Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017.
She said regulatory action was warranted in Australia following action taken in other jurisdictions in relation to the cyber attack.
“We need to ensure that in future, Uber protects the personal information of Australians in line with the Privacy Act,” she said.
“The matter also raises complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group.”
Commissioner Falk has ordered the Uber companies to implement a data retention and destruction policy, information security program and incident response plan that will ensure the companies comply with the Australian Privacy Principles, and to appoint an independent expert to review and report to the OAIC on the policies and programs.
A spokesperson for Uber said the company welcomed the resolution of the 2016 data incident saying the service learned from its mistakes.
“We have made a number of technical improvements to the security of our systems, including obtaining ISO 27001 certification of our core rides business information systems and updating internal security policies, as well as making significant changes in leadership, since this incident in 2016,” the spokesperson said.
“We are confident that these changes in security and governance will address the determination made by the OAIC, and will work with a third-party assessor to implement any further changes required.”
The Commissioner’s 40-page determination can be accessed at this PS News link.
