Australia Says Uber 'Interfered' With Users' PrivacyUber Must Tighten Data Handling, Regulator Says
Australia's data regulator has found that Uber interfered with the privacy of 1.2 million of its customers as a result of a 2016 global data breach.
The Office of the Australian Information Commissioner determined Uber violated several of the Australian Privacy Principles that are part of the Privacy Act 1988, the country's federal privacy legislation. On Friday, the OAIC released a report about its investigation of Uber's highly controversial 2016 breach that it covered up for more than a year (see Uber Concealed Breach of 57 Million Accounts for a Year).
The OAIC says that the company's violations include failing to: take reasonable steps to protect personal information against unauthorized access, delete or de-identify data that is no longer needed and take steps to comply with APPs.
The agency, however, says it did not receive complaints about the Uber breach, and thus was not authorized to award compensation simply because an organization violated the Privacy Act.
But Uber will be required to create an information security program that identifies data risks. It also must conduct regular testing and monitoring, appoint a coordinator for its information security program and create an incident response plan that complies with APPs.
Uber says in a statement that the company welcomes "this resolution to the 2016 data incident. We learn from our mistakes and reiterate our commitment to continue to earn the trust of users."
Uber says it's made technical improvements that include obtaining ISO 27001 certifications for its core rides business information systems. The company also has updated its internal security policies and will work with a third-party assessor to implement any further changes.
“We are confident that these changes in security and governance will address the determination made by the OAIC and will work with a third-party assessor to implement any further changes required," the company says.
2016 Data Breach
The OAIC action comes almost five years after Uber's systems were infiltrated by attackers who stole user data. Uber's cover up of the incident spurred outrage, inquiries and action by several regulators worldwide.
Two attackers obtained login credentials from a private GitHub site that was used by some of Uber's engineers. They then used those login credentials to access an Amazon Web Services account that had an archive with rider and driver information.
All told, there were 57 million accounts exposed. The data affected included names, email addresses and phone numbers for Uber customers as well as personal information of 7 million drivers and 600,000 driver's license numbers.
Uber paid $100,000 in bitcoin to the two attackers and positioned the payment as a bug bounty. Uber did not reveal the breach until more than a year later in November 2017.
Shortly after that disclosure, Uber fired Joe Sullivan, its CSO. Sullivan, who is now CSO for Cloudflare, was charged in the U.S. with obstruction of justice and misprision, which is the deliberate concealment of a felony or treasonable act.
Prosecutors allege Sullivan mislead the Federal Trade Commission as well as Uber's own management about the 2016 breach. Sullivan could face up to eight years in prison if convicted on both charges (see Former Uber CSO Charged With Covering Up 2016 Data Breach).
The two men who breached Uber, Brandon Charles Glover of Winter Springs, Florida, and Vasile Mereacre of Toronto, pleaded guilty to one count of conspiracy to commit extortion. The two men were also accused of attempting to blackmail Lynda.com, which is now called LinkedIn Learning.
Australian Data Means Australian Law Applies
The OAIC's action against Uber was complicated by the global company's structure. Uber argued that it was not subject to Australia's Privacy Act because it had transferred Australians' personal information to the U.S.
The regulator's investigations covered Uber Technologies, which is based in the U.S., and Uber B.V., which is in the Netherlands. The OAIC says its investigation "involved significant jurisdictional matters and complex corporate arrangements and information flows."
“This determination makes my view of global corporations’ responsibilities under Australian privacy law clear,” says OAIC Commissioner Angelene Falk. “Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group.”
In the U.S, Uber reached a $148 million settlement with the attorneys general of 50 states and the District of Columbia. Uber pledged to be more transparent (see Uber Reaches $148 Million Breach Settlement With States).
In the U.K., the Information Commissioner's Office alleged that the Uber breach exposed the details of 2.7 million riders and 82,000 drivers. The office fined Uber 385,000 pounds ($529,000) in November 2018. In the same month, the Netherland's data protection authority fined Uber 600,000 euros ($707,000) for failing to report the incident within 72 hours (see Uber Fined $1.2 Million in EU for Breach Disclosure Delay).