Uber found to have breached privacy of 1.2 million Aussies in 2016

Uber failed to appropriately protect the personal data of more than a million Australian customers and drivers when it was compromised in a 2016 hack, the privacy commission has found.

In a long-awaited determination released on Friday, privacy commissioner Angelene Falk revealed the global ride sharing company had interfered with the privacy of 1.2 million Australians by failing to comply with the Privacy Act.

The determination follows a “complex” investigation into US-based Uber Technologies and its Dutch-based subsidiary, Uber B.V, following a cyber attack that took place in October and November 2016.

Uber disclosed the breach – which impacted 57 million users and drivers globally – in November 2017 and reported it to the Office of the Australian Information Commissioner in December 2017.

The company paid the attackers US$100,000 at the time to delete the stolen data, which included the names, email addresses and mobile phone numbers of customers, and keep quiet.

On Friday, the OAIC said Uber had breached the Privacy Act by “not taking reasonable steps to protect Australian’s personal information for unauthorised access and to destroy or de-identify the data as required”.

The commission said the company also “failed to take reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles”.

“Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability,” OAIC said in a statement on Friday.

“Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017.”

Falk said that regulatory action was warranted in Australia following the cyber attack, but did not go as far as imposing a fine like the UK's Information Commissioner's Office (ICO) did in 2018.

In addition to the fines, which ammounted to 385,000 pounds in the UK and 600,000 euros in the Netherlands, Uber also agreed to pay a US$148 million settlement with 50 US states and Washington DC in September 2018.

In Australia, the OAIC has ordered Uber to prepare a data retention and destruction policy, information security program and incident response plan within three months, as well as appoint an independent expert to review the actions and report to OAIC within five months.

“We need to ensure that in future Uber protects the personal information of Australians in line with the Privacy Act,” Falk said.

Falk added that the matter also “raises complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group”.

The determination reveals the personal information of Australians was transferred to servers in the US under an outsourcing arrangement, which Uber argued was not subject to Australia’s privacy laws.

“This determination makes my view of global corporations’ responsibilities under Australian privacy law clear,” Falk added.

“Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group.”

In response to the determination, Uber said it had made a series of technical improvements since the incident, including "obtaining ISO 27001 certification of our core rides business information systems and updating internal security policies".

"We are confident that these changes in security and governance will address the determination made by the OAIC, and will work with a third-party assessor to implement any further changes required," a spokesperson said.

"We welcome this resolution to the 2016 data incident. We learn from our mistakes and reiterate our commitment to continue to earn the trust of users."

Updated at 4:38pm to include Uber statement