Mistakes are inevitable, but intentional acts may result in severe repercussions. Uber’s negligence of hiding a data breach took the taxi-aggregator to multiple wrong roads. The Office of the Australian Information Commissioner (OAIC) recently revealed its findings on the Uber 2016 data breach. The privacy watchdog stated that Uber meddled with users’ data privacy, risking the data of around 1.2 million Australians in 2016.
In an official statement, Angelene Falk, Australia’s Information and Privacy Commissioner, said that the U.S.-based Uber Technologies Inc. and Dutch-based Uber B.V. had failed to protect the personal information of its Australian customers and drivers when attackers allegedly accessed users’ data in October and November 2016.
Uber required the attackers to destroy the stolen data to ensure there was no sign of data breach. However, the investigation by the OAIC unveiled that Uber didn’t take any protective security measures to safeguard Australians’ personal information and violated the Privacy Act 1988.
“Commissioner Falk found the Uber companies breached the Privacy Act 1988 by not taking reasonable steps to protect Australians’ personal information from unauthorized access and to destroy or de-identify the data as required. They also failed to take reasonable steps to implement practices, procedures, and systems to ensure compliance with the Australian Privacy Principles,” the OAIC said.
De-Identification of the Breach
In 2016, Uber sustained a data breach that compromised the personal data from the company’s network, including names and driver’s license information of 600,000 drivers, email IDs, and phone numbers of 57 million Uber users. Instead of reporting the security incident, Uber reportedly paid the attackers, Glover and Mereacre, $100,000 in ransom to keep the hack a secret. In October 2019, the two perpetrators pleaded guilty for their extortion scheme. Uber was penalized in millions by multiple data privacy regulators for not disclosing the security breach until November 2017.
Falk alleged that Uber ignored the security incident by not conducting any security audit on users’ personal information that was illicitly accessed by the attackers. While Falk claimed that Australians’ data had been transferred to servers located in the U.S. via an outsourcing setup, the U.S.-based Uber Technologies Inc. argued it was not subject to the Privacy Act.
“We need to ensure that in future Uber protects the personal information of Australians in line with the Privacy Act. The matter also raises complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group,” Falk said.
What is Uber required to do?
Commissioner Falk has ordered Uber companies in all the locations to:
- Maintain data retention and destruction policy
- Enable an information security program and incident response plan to comply with the Australian Privacy Principles
- Appoint an independent cybersecurity expert to review and report on these policies and programs and their implementation
- Submit the security audit reports to the OAIC regularly
“This determination makes my view of global corporations’ responsibilities under Australian privacy law clear. Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group,” Falk added.