The Office of the Australian Information Commissioner (OAIC) has determined that Uber Technologies, Inc. and Uber B.V. have interfered with the privacy of over 1.2 million Australians.
Australia’s Information Commissioner and Privacy Commissioner Angelene Falk on Friday said Uber failed to appropriately protect the personal data of more than a million Australian customers and drivers when it was accessed from a breach in October and November 2016.
Uber suffered a data breach that impacted 57 million users and drivers globally in November 2017. Instead of notifying those impacted, Uber concealed the breach for more than a year and paid a hacker to keep it under wraps. Uber reported details of the breach to the Office of the Australian Information Commissioner in December 2017.
The company paid the attackers US$100,000 at the time to delete the stolen data, which included the names, email addresses, and mobile phone numbers of customers, and keep quiet.
Falk found the Uber companies breached the Privacy Act 1988 by not taking reasonable steps to protect Australians’ personal information from unauthorized access and to destroy or de-identify the data as required.
“Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability,” OAIC said in a statement on Friday.
APP 11.1 requires companies to take reasonable steps to protect personal information against unauthorized access, while APP 11.2 requires reasonable steps to be taken to delete or de-identify personal information that is no longer needed for a permitted purpose. Also breached, the OAIC found, was APP 1.2, which requires companies to take reasonable steps to implement practices, procedures, and systems relating to the entity’s functions or activities, to ensure compliance with the APPs.
In addition to the fines, which amounted to 385,000 pounds in the UK and 600,000 euros in Holland, Uber also agreed to pay a US$148 million settlement with 50 US states and Washington DC in September 2018.
Commissioner Falk has ordered the Uber companies to:
- prepare, implement and maintain data retention and destruction policy, information security program, and incident response plan that will ensure the companies comply with the Australian Privacy Principles
- appoint an independent expert to review and report on these policies and programs and their implementation, submit the reports to the OAIC, and make any necessary changes recommended in the reports.
In response to the determination, Uber said it had made a series of technical improvements since the incident, including “obtaining ISO 27001 certification of our core rides business information systems and updating internal security policies”.