Search
Close this search box.

Uber breached 1.2 million Australians’ privacy in 2016

Share:

Privacy watchdog releases much-anticipated findings of investigation, revealing significant details were released in the 2016 hack.

Key takeaways

  • The Office of the Australian Information Commissioner has found Uber breached the Privacy Act
  • The company paid a silent ransom to the attackers in question but didn’t more broadly disclose the breach
  • This is in breach of its responsibilities under the Act
  • The hack affected some 1.2 million Australians


Uber failed to appropriately protect the personal data of more than a million Australian customers and drivers when it was compromised in its infamous 2016 hack, the privacy commission has found.

In a long-awaited determination released on Friday, privacy commissioner Angelene Falk revealed the global ride sharing company had interfered with the privacy of 1.2 million Australians by failing to comply with the Privacy Act.

The determination follows a “complex” investigation into Uber and its Dutch-based subsidiary, Uber B.V, following a cyber attack that took place in October and November 2016.

Uber disclosed the breach – which impacted 57 million users and drivers globally – in November 2017 and reported it to the Office of the Australian Information Commissioner in December 2017.

The company paid the attackers US$100,000 at the time to delete the stolen data, which included the names, email addresses and mobile phone numbers of customers.

But other than this, it largely kept quiet, and therein lays its problem.

The OAIC said Uber had breached the Privacy Act by “not taking reasonable steps to protect Australians’ personal information for unauthorised access and to destroy or de-identify the data as required”.

The commission said the company also “failed to take reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles”.

“Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability,” OAIC said in a statement on Friday.

“Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017.”

Falk said that regulatory action was warranted in Australia following the cyber attack, but did not go as far as imposing a fine like the UK’s Information Commissioner’s Office (ICO) did in 2018.

“Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability,” OAIC said in a statement.

In addition to the fines, which amounted to 385,000 pounds in the UK and 600,000 euros in the Netherlands, Uber also agreed to pay a mouth-watering US$148 million settlement with 50 US states and Washington DC in September 2018.

In Australia, the OAIC has ordered Uber to prepare a data retention and destruction policy, information security program and incident response plan within three months, as well as appoint an independent expert to review the actions and report to OAIC within five months.

“We need to ensure that in future Uber protects the personal information of Australians in line with the Privacy Act,” Falk said.

Falk added that the matter also “raises complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group”.

The determination reveals the personal information of Australians was transferred to servers in the US under an outsourcing arrangement, which Uber argued was not subject to Australia’s privacy laws.

The findings – and this incident more broadly – highlight the significant problems at play when it comes to companies acting responsibly when it comes to breaches. The reputational impact many fear as a result of breaches becoming known have driven them historically to erect a wall of silence – or at least attempt to.

But — as more recent history has shown — these sorts of breaches can never be kept quiet, and the importance of disclosing breaches now seems to be at the core of Australia’s regulatory regime when it comes to data breaches. To not disclose, then, is riskier for companies than the reputational impacts of doing so.

Picture of Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Contact

Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235

Company

Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →

Services

Services

Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl
360

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution

Solutions
Resources

Resources

A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →