Privacy watchdog releases much-anticipated findings of investigation, revealing significant details were released in the 2016 hack.
Key takeaways
- The Office of the Australian Information Commissioner has found Uber breached the Privacy Act
- The company paid a silent ransom to the attackers in question but didn’t more broadly disclose the breach
- This is in breach of its responsibilities under the Act
- The hack affected some 1.2 million Australians
Uber failed to appropriately protect the personal data of more than a million Australian customers and drivers when it was compromised in its infamous 2016 hack, the privacy commission has found.
In a long-awaited determination released on Friday, privacy commissioner Angelene Falk revealed the global ride sharing company had interfered with the privacy of 1.2 million Australians by failing to comply with the Privacy Act.
The determination follows a “complex” investigation into Uber and its Dutch-based subsidiary, Uber B.V, following a cyber attack that took place in October and November 2016.
Uber disclosed the breach – which impacted 57 million users and drivers globally – in November 2017 and reported it to the Office of the Australian Information Commissioner in December 2017.
The company paid the attackers US$100,000 at the time to delete the stolen data, which included the names, email addresses and mobile phone numbers of customers.
But other than this, it largely kept quiet, and therein lays its problem.
The OAIC said Uber had breached the Privacy Act by “not taking reasonable steps to protect Australians’ personal information for unauthorised access and to destroy or de-identify the data as required”.
The commission said the company also “failed to take reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles”.
“Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability,” OAIC said in a statement on Friday.
“Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017.”
Falk said that regulatory action was warranted in Australia following the cyber attack, but did not go as far as imposing a fine like the UK’s Information Commissioner’s Office (ICO) did in 2018.
In addition to the fines, which amounted to 385,000 pounds in the UK and 600,000 euros in the Netherlands, Uber also agreed to pay a mouth-watering US$148 million settlement with 50 US states and Washington DC in September 2018.
In Australia, the OAIC has ordered Uber to prepare a data retention and destruction policy, information security program and incident response plan within three months, as well as appoint an independent expert to review the actions and report to OAIC within five months.
“We need to ensure that in future Uber protects the personal information of Australians in line with the Privacy Act,” Falk said.
Falk added that the matter also “raises complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group”.
The determination reveals the personal information of Australians was transferred to servers in the US under an outsourcing arrangement, which Uber argued was not subject to Australia’s privacy laws.
The findings – and this incident more broadly – highlight the significant problems at play when it comes to companies acting responsibly when it comes to breaches. The reputational impact many fear as a result of breaches becoming known have driven them historically to erect a wall of silence – or at least attempt to.
But — as more recent history has shown — these sorts of breaches can never be kept quiet, and the importance of disclosing breaches now seems to be at the core of Australia’s regulatory regime when it comes to data breaches. To not disclose, then, is riskier for companies than the reputational impacts of doing so.
