Uber interfered with privacy of 1.2 million Australians

The Office of Australian Information Commissioner (OAIC) has determined that Uber interfered with the privacy of around 1.2 million Australians.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said Uber companies failed to appropriately protect the personal data of Australian customers and drivers, which was accessed in a cyber attack in October and November 2016.

The determination follows detailed investigations, which involved significant jurisdictional matters and complex corporate arrangements and information flows.

While Uber required the attackers to destroy the data and there was no evidence of further misuse, the OAIC investigation focused on whether Uber had preventive measures in place to protect Australians’ data.

The Uber companies were found to have breached the Privacy Act 1988 by not taking reasonable steps to protect Australians’ personal information from unauthorised access and to destroy or de-identify the data as required. They also failed to take reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles.

Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability.

Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017.

Commissioner Falk said regulatory action was warranted in Australia following action taken in other jurisdictions in relation to the cyber attack.

“We need to ensure that in future Uber protects the personal information of Australians in line with the Privacy Act,” she said.

“The matter also raises complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group.”

In this case, Australians’ personal information had been directly transferred to servers in the United States under an outsourcing arrangement, and the US-based company argued it was not subject to the Privacy Act.

Commissioner Falk said she was satisfied both Uber companies were required to comply with the Privacy Act.

“This determination makes my view of global corporations’ responsibilities under Australian privacy law clear,” Commissioner Falk said.

“Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group.”

Commissioner Falk has ordered the Uber companies to: prepare, implement and maintain a data retention and destruction policy, information security program and incident response plan that will ensure the companies comply with the Australian Privacy Principles; appoint an independent expert to review and report on these policies and programs and their implementation, submit the reports to the OAIC and make any necessary changes recommended in the reports.

Uber welcomed the resolution to the data incident. “We learn from our mistakes and reiterate our commitment to continue to earn the trust of users,” said an Uber spokesperson.

“We have made a number of technical improvements to the security of our systems, including obtaining ISO 27001 certification of our core rides business information systems and updating internal security policies, as well as making significant changes in leadership, since this incident in 2016.

“We are confident that these changes in security and governance will address the determination made by the OAIC, and will work with a third-party assessor to implement any further changes required,” the spokesperson said.

Image credit: ©stock.adobe.com/au/Jo Panuwat D