The Office of the Australian Information Commissioner (OAIC) has handed down its determination that Uber interfered with the privacy of over 1 million Australians in 2016.
Australia’s Information Commissioner and Privacy Commissioner Angelene Falk on Friday said US-based Uber Technologies Inc and Dutch-based Uber B.V. failed to appropriately protect the personal data of an estimated 1.2 million Australian customers and drivers, when it was accessed from a breach in October and November 2016.
It came to light in late 2017 that hackers had stolen data pertaining to 57 million Uber riders worldwide, as well data on more than 600,000 drivers. Instead of notifying those impacted, Uber concealed the breach for more than a year and paid a hacker to keep it under wraps.
While Uber required the attackers to destroy the data and there was no evidence of further misuse, OAIC said its investigation focused on whether Uber had preventative measures in place to protect Australians’ data.
Reach the full story here: Former Uber CSO charged for 2016 hack cover-up
Falk found the Uber companies breached the Privacy Act 1988 by not taking reasonable steps to protect Australians’ personal information from unauthorised access and to destroy or de-identify the data as required.
The tech giant also failed to take reasonable steps to implement practices, procedures, and systems to ensure compliance with the Australian Privacy Principles (APP), she said.
“Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability,” the determination says. “Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017.”
APP 11.1 requires companies to take reasonable steps to protect personal information against unauthorised access, while APP 11.2 requires reasonable steps to be taken to delete or de-identify personal information that is no longer needed for a permitted purpose. Also breached, the OAIC found, was APP 1.2, which requires companies to take reasonable steps to implement practices, procedures, and systems relating to the entity’s functions or activities, to ensure compliance with the APPs.
In her determination, Falk said the Uber companies must not repeat those acts and practices.
She has also requested that Uber prepare, within three months, a data retention and destruction policy that will, when implemented, enable and ensure compliance by the Uber companies with APP 11.2.
Falk has also asked Uber to establish an information security program and appoint an individual to run its helm. The program must identify risks related to the security or integrity of personal information of Australian users collected and/or held by the Uber companies that could result in misuse, interference, or loss, or unauthorised access, modification, or disclosure of this information. It must also include refresher training for staff and boast rigid safeguards.
The privacy commissioner also wants an incident response plan implemented by the company, which includes a clear explanation of what constitutes a data breach.
Falk said the matter raised complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group.
In this case, Australians’ personal information had been directly transferred to servers in the United States under an outsourcing arrangement, and the US-based company argued it was not subject to the Privacy Act.
“Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group,” she added.
To that end, her determination also included a request for an independent assessment of Uber’s adherence to the Australian Privacy Act.
The commissioner has also ordered the Uber companies to appoint an independent expert to review and report on these policies and programs and their implementation, submit the reports to the OAIC, and make any necessary changes recommended in the reports.
Uber in September 2018 agreed to pay $148 million in a US settlement over the incident, and a few months later was fined over £900,000 by UK and Dutch watchdogs in relation to the 2016 data breach.
Two men pleaded guilty in October 2019 to the hack and Uber’s former chief security officer was charged in August 2020 by US authorities over the cover-up.
In response to the OAIC’s determination, an Uber spokesperson told ZDNet it welcomed the resolution to the incident.
“We learn from our mistakes and reiterate our commitment to continue to earn the trust of users,” they said.
“We have made a number of technical improvements to the security of our systems, including obtaining ISO 27001 certification of our core rides business information systems and updating internal security policies, as well as making significant changes in leadership, since this incident in 2016.
“We are confident that these changes in security and governance will address the determination made by the OAIC, and will work with a third-party assessor to implement any further changes required.”
Updated 4:10pm AEST Friday 23 July 2021: Added statement from Uber spokesperson.