1.2 Million Aussies Suffered when Uber was Breached in 2016

 

Uber infringed on the privacy of more than 1 million Australians in 2016, according to the Office of the Australian Information Commissioner (OAIC). Personal data of an estimated 1.2 million Australian customers and drivers was accessed from a breach in October and November 2016, Australia's Information Commissioner and Privacy Commissioner Angelene Falk said on Friday that US-based Uber Technologies Inc and Dutch-based Uber B.V. failed to adequately protect it.

In late 2017, it was revealed that hackers had stolen data on 57 million Uber users throughout the world, as well as data on over 600,000 Uber drivers. Uber hid the breach for over a year and paid the hacker to keep it hidden instead of notifying individuals affected. OAIC said its investigation focused on whether Uber had preventative measures in place to secure Australians' data, even though Uber compelled the attackers to destroy the data so that there was no evidence of future exploitation. 

The Uber company, according to Falk, violated the Privacy Act 1988 by failing to take reasonable precautions to protect Australians' personal information from unauthorized access and destroy or de-identify the data as required. She also claimed that the tech giant failed to take reasonable steps to implement practices, procedures, and systems to ensure compliance with the Australian Privacy Principles (APP). 

"Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability," the determination says. "Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017." 

Falk said the case presented complicated questions about how the Privacy Act applies to firms situated overseas that outsource the handling of Australians' personal information to other companies within their corporate group. "Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group," she added. 

Uber agreed to pay $148 million in a US settlement over the incident in September 2018 and was fined over £900,000 by the UK and Dutch regulators a few months later for the 2016 data breach. In October 2019, two men pled guilty to the hack, and US authorities accused Uber's former chief security officer in August 2020 of the cover-up. "We learn from our mistakes and reiterate our commitment to continue to earn the trust of users," an Uber spokesperson said.