The Office of the Australian Information Commissioner (OAIC) found Uber Technologies in breach of the Australian Privacy Act, with some 1.2 million Australians having their data compromised in the 2016 data breach.
The revelation comes following a five-year investigation by the OAIC, which included both the initial leak as well as Uber’s following actions following the leak, which included paying the cyber criminals a “bug bounty” to delete the data and not disclosing the breach until late 2017.
Despite finding the company in breach of the act, the commission has not forced a fine on the company.
“Australian Information Commissioner and Privacy Commissioner Angelene Falk has determined that Uber Technologies, Inc. and Uber B.V. interfered with the privacy of an estimated 1.2 million Australians,” the OAIC announced.
“Commissioner Falk found the Uber companies failed to appropriately protect the personal data of Australian customers and drivers, which was accessed in a cyber attack in October and November 2016.
“The determination follows detailed investigations into US-based Uber Technologies Inc and Dutch-based Uber B.V. which involved significant jurisdictional matters and complex corporate arrangements and information flows.
“While Uber required the attackers to destroy the data and there was no evidence of further misuse, the investigation by the Office of the Australian Information Commissioner (OAIC) focused on whether Uber had preventative measures in place to protect Australians’ data.
“Commissioner Falk found the Uber companies breached the Privacy Act 1988 by not taking reasonable steps to protect Australians’ personal information from unauthorised access and to destroy or de-identify the data as required. They also failed to take reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles.
“Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability. Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017.”
As investigated by the OIAC, Uber Technologies did not confirm the extent of the attack until 2017. According to a company issue released by Uber chief executive Dara Khosrowshahi, “the names and driver’s licence numbers of around 600,000 drivers in the United States”, the statement read.
“Some personal information of 57 million Uber users around the world, including the drivers described above. This information included names, email addresses and mobile phone numbers,” it said.
Following the data breach, Norton Australia advised, “While Uber states that there is no need for action, there are still things you should be on the lookout for when breaches of this magnitude occur. When popular companies are gaining major headlines in the mainstream media, scammers may attempt to take advantage of the chatter around this incident.
“Cyber criminals may attempt to launch phishing attacks, appearing to come from Uber, hoping to trick unsuspecting customers into providing personal information, such as account credentials or payment card information. In the case of a major security incident like this, it’s always best to go straight to the source — the company’s official website, and not click on any of the links in the email.”
[Related: Extent of the Microsoft hack becoming known]