Production Perig - stock.adobe.c

OAIC: Uber failed to protect personal data of Australians

Uber did not take reasonable steps to protect Australians’ personal information from unauthorised access, says Australia’s national privacy watchdog

Uber had failed to protect the personal data of 1.2 million Australian customers and drivers, which was accessed in a cyber attack in October and November 2016, Australia’s privacy watchdog has found.

The determination follows detailed investigations into US-based Uber Technologies and Dutch-based Uber B.V. which involved significant jurisdictional matters and complex corporate arrangements and information flows.

While Uber required the attackers to destroy the data and there was no evidence of further misuse, the investigation by the Office of the Australian Information Commissioner (OAIC) focused on whether Uber had taken preventative measures to protect Australians’ data.

Australian information commissioner Angelene Falk said the Uber companies breached Australia’s privacy laws by not taking reasonable steps to protect Australians’ personal information from unauthorised access, and to destroy or de-identify the data as required.

They also failed to take reasonable steps to implement practices, procedures and systems to comply with Australian privacy principles.

According to a report by OAIC on its investigation into the data breach, cyber attackers had identified an active Amazon Web Services credential in one of Uber’s GitHub repositories. The credential was then used to download the content of 16 files from Amazon’s S3 cloud storage service.

Some of those files contained archived driver and rider data stored on S3. These files had not been encrypted and were backup files that had been created outside Uber’s usual processes in connection with migrating data to a new system.

Read more about cyber security in Australia

Rather than disclose the breach responsibly, Uber paid the attackers a reward through a bug bounty programme for identifying a security vulnerability.

The OAIC said Uber also did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach. The ride-hailing pioneer did not publicly disclose the data breach until November 2017.

Falk noted that regulatory action was warranted in Australia following action taken in other jurisdictions in relation to the cyber attack. “We need to ensure that in future Uber protects the personal information of Australians in line with the Privacy Act,” she said. “The matter also raises complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group.”

In this case, Australians’ personal information had been directly transferred to servers in the US under an outsourcing arrangement, and the US-based company argued it was not subject to the Privacy Act.

Falk said she was satisfied that both Uber companies were required to comply with Australia’s Privacy Act. “This determination makes my view of global corporations’ responsibilities under Australian privacy law clear,” she added. “Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group.”

As a result of OAIC’s ruling, Uber is required to implement and maintain a data retention and destruction policy, information security programme, and incident response plan that will ensure it complies with Australia’s privacy principles.

It will also need to appoint an independent expert to review and report on these policies and programmes and their implementation, submit the reports to the OAIC, and make any necessary changes recommended in the reports.

Read more on Regulatory compliance and standard requirements