UPDATE:
Uber ‘s response:
“We welcome this resolution to the 2016 data incident. We learn from our mistakes and reiterate our commitment to continue to earn the trust of users.
“We have made a number of technical improvements to the security of our systems, including obtaining ISO 27001 certification of our core rides business information systems and updating internal security policies, as well as making significant changes in leadership, since this incident in 2016.
“We are confident that these changes in security and governance will address the determination made by the OAIC, and will work with a third-party assessor to implement any further changes required.”
- Uber has already completed an independent assessment of its Information Security Program pursuant to the U.S. Attorneys’ General judgment, which found that Uber’s safeguards are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of personal information of riders and drivers that it maintains, and that Uber maintained an Information Security Program reasonably designed to protect the security, integrity, and confidentiality of the personal information of its riders and drivers.
ORIGINAL RELEASE:
Australian Information Commissioner and Privacy Commissioner Angelene Falk has determined that Uber Technologies, Inc. and Uber B.V. interfered with the privacy of an estimated 1.2 million Australians.
Commissioner Falk found the Uber companies failed to appropriately protect the personal data of Australian customers and drivers, which was accessed in a cyber attack in October and November 2016.
The determination follows detailed investigations into US-based Uber Technologies Inc and Dutch-based Uber B.V. which involved significant jurisdictional matters and complex corporate arrangements and information flows.
While Uber required the attackers to destroy the data and there was no evidence of further misuse, the investigation by the Office of the Australian Information Commissioner (OAIC) focused on whether Uber had preventative measures in place to protect Australians’ data.
Commissioner Falk found the Uber companies breached the Privacy Act 1988 by not taking reasonable steps to protect Australians’ personal information from unauthorised access and to destroy or de-identify the data as required. They also failed to take reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles.
Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability. Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017.
Commissioner Falk said regulatory action was warranted in Australia following action taken in other jurisdictions in relation to the cyber attack.
“We need to ensure that in future Uber protects the personal information of Australians in line with the Privacy Act,” she said.
“The matter also raises complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group.”
In this case, Australians’ personal information had been directly transferred to servers in the United States under an outsourcing arrangement, and the US-based company argued it was not subject to the Privacy Act.
Commissioner Falk said she was satisfied both Uber companies were required to comply with the Privacy Act.
“This determination makes my view of global corporations’ responsibilities under Australian privacy law clear,” Commissioner Falk said.
“Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group.”
Commissioner Falk has ordered the Uber companies to:
- prepare, implement and maintain a data retention and destruction policy, information security program, and incident response plan that will ensure the companies comply with the Australian Privacy Principles
- appoint an independent expert to review and report on these policies and programs and their implementation, submit the reports to the OAIC, and make any necessary changes recommended in the reports.
The full determination can be found at oaic.gov.au/privacy-determinations
