Uber breached 1.2 million Australian customers’ privacy when it failed to protect their data from a cyber attack in 2016, the Privacy Commissioner has determined after a three and a half year investigation which encountered “jurisdictional issues”.
Names, email addresses, drivers licence numbers, and location data were stolen in the attack, and Uber paid the cyber criminals to destroy the data through its bug bounty program rather than disclosing the breach responsibly.
The ride hailing giant will only have to make modest remedies, however, including reviewing its data governance and security programs with external experts and implementing their advice within a year.
But the Privacy Commissioner insists the decision sends a clear message that companies must protect Australians’ data even when it is processed overseas. The lengthy investigation has also demonstrated the “jurisdictional issues” which have made pursuing multinationals difficult.
The watchdog’s investigation ran for more than three years, which is understood to be due to the complex, cross-jurisdiction nature of the case, which was also expanded several times.
The breach occurred in 2016 when attackers gained access to the credentials of an Uber employee, giving them access to data stored by Amazon Web Services, including unencrypted files.
Attackers downloaded the files which related to around 57 million individuals worldwide, including 1.2 million Australians.
Uber became aware of the breach almost immediately because the attackers emailed the company demanding payment. Uber paid the attackers US$100,000 through a bug bounty program, which is supposed to be used for good faith disclosures of vulnerabilities, not extortion.
The tech giant says it obtained written assurances from the attackers they had destroyed the data.
Uber did not formally investigate the breach with external cyber experts until nearly a year later, and said the investigation found no evidence the data had been misused.
The company then went public and contacted some of the drivers whose data had been compromised but not riders.
The Office of the Australian Information Commissioner (OAIC) began an investigation shortly after the public disclosure in late 2017. It made a determination late last month, more than three and a half years later.
The case was considered complex and important because it dealt with a breach by the US parent of the Uber company operating in Australia, which is actually Dutch.
Uber had argued because the US company was used to process the data off-shore, the breach it suffered was not subject to Australian privacy law.
But Australian Australian Information Commissioner and Privacy Commissioner Angelene Falk, who made the determination, said she was satisfied both Uber had an “Australian link” at the time of the breach and were required to comply with the Privacy Act.
“We need to ensure that in future Uber protects the personal information of Australians in line with the Privacy Act,” Ms Falk said.
“The matter also raises complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group.”
The investigation dragged out because of the inclusion of the Dutch-based Uber company operating in Australia, which was added to the probe in 2019 and the US parent’s argument it was not subject to Australian privacy law, an OAIC spokesperson told InnovationAus.
“The Uber determination demonstrates the complex jurisdictional issues that can arise in applying the Privacy Act 1988 in its current form to multinational corporate structures and data flows…The US-based entity argued it was not subject to the Privacy Act, and so a formal determination was necessary to address the privacy breach. This also required extensive investigation to establish the OAIC’s jurisdiction in this matter,” the spokesperson said.
“The existing test for establishing jurisdiction is complex, and the Australian Government’s current review of the Privacy Act is an opportunity to address this issue. The OAIC’s submission to the review proposes amendments to ensure we can more easily address the privacy risks to Australians whose personal information is held by multinational companies based overseas.”
Ms Falk said her determination made clear the responsibilities of global corporations responsibilities under Australian privacy law.
“Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group,” she said.
Ms Falk determined Uber companies breached the Privacy Act 1988 by not taking reasonable steps to protect Australians’ personal information from unauthorised access and to de-identify or destroy the data as required.
They also failed to take reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles, according tot the watchdog.
Ms Falk ordered Uber to prepare, implement and maintain a data retention and destruction policy, an information security program, and incident response plan that complies with Australian privacy law.
The company must also use independent experts to review and report on the policies and there implementation, and report the findings to the OAIC.
A spokesperson for Uber said the company has made several technical upgrades and security certifications, and policy and leadership changes since the 2016 breach.
“We welcome this resolution to the 2016 data incident. We learn from our mistakes and reiterate our commitment to continue to earn the trust of users,” the spokesperson told InnovationAus.
“We are confident that these changes in security and governance will address the determination made by the OAIC, and will work with a third-party assessor to implement any further changes required.”
Do you know more? Contact James Riley via Email.