Thursday, September 23, 2021

OAIC: Uber found to have interfered with the privacy of over 1.2 million Australians

Must Read

Germany: Massive Cyber Attack Takes Down Major Funke Newsgroup

A massive cyberattack has taken down one of Germany’s largest newsgroups during the Christmas holidays.Hackers knocked out one of...

Russia declines Microsoft claims of healthcare cyber attacks

Russia on Tuesday vehemently reduces claims by Microsoft that Russia was behind cyberattacks on businesses exploring coronavirus vaccines and...

Critical ThroughTek vulnerability attackers access Millions of Connected Cameras

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on Friday, Issued an advisory about a critical vulnerability in the...

The Office of the Australian Information Commissioner (OAIC) has determined that Uber Technologies, Inc. and Uber B.V. have interfered with the privacy of over 1.2 million Australians.

Australia’s Information Commissioner and Privacy Commissioner Angelene Falk on Friday said Uber failed to appropriately protect the personal data of more than a million Australian customers and drivers when it was accessed from a breach in October and November 2016.

Uber suffered a data breach that impacted 57 million users and drivers globally in November 2017. Instead of notifying those impacted, Uber concealed the breach for more than a year and paid a hacker to keep it under wraps. Uber reported details of the breach to the Office of the Australian Information Commissioner in December 2017.

The company paid the attackers US$100,000 at the time to delete the stolen data, which included the names, email addresses, and mobile phone numbers of customers, and keep quiet.

Falk found the Uber companies breached the Privacy Act 1988 by not taking reasonable steps to protect Australians’ personal information from unauthorized access and to destroy or de-identify the data as required.

“Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability,” OAIC said in a statement on Friday.

APP 11.1 requires companies to take reasonable steps to protect personal information against unauthorized access, while APP 11.2 requires reasonable steps to be taken to delete or de-identify personal information that is no longer needed for a permitted purpose. Also breached, the OAIC found, was APP 1.2, which requires companies to take reasonable steps to implement practices, procedures, and systems relating to the entity’s functions or activities, to ensure compliance with the APPs.

In addition to the fines, which amounted to 385,000 pounds in the UK and 600,000 euros in Holland, Uber also agreed to pay a US$148 million settlement with 50 US states and Washington DC in September 2018.

Commissioner Falk has ordered the Uber companies to:

  • prepare, implement and maintain data retention and destruction policy, information security program, and incident response plan that will ensure the companies comply with the Australian Privacy Principles
  • appoint an independent expert to review and report on these policies and programs and their implementation, submit the reports to the OAIC, and make any necessary changes recommended in the reports.

In response to the determination, Uber said it had made a series of technical improvements since the incident, including “obtaining ISO 27001 certification of our core rides business information systems and updating internal security policies”.

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

Apple Releases patches for an actively exploited zero-day flaw in ios, macOS

Apple on Monday Release an urgent security patch for iOS,macOS, iPadOS, to address a zero-day flaw that has been actively exploited.Apple has revealed that...

More Articles Like This