Uber Under Investigation for Leaking 1.2 Million Australians’ Private Data

Australia’s data regulator has found that US multinational tech company Uber compromised the privacy of 1.2 million of its customers as a result of a 2016 global data breach.

The Office of the Australian Information Commissioner (OAIC) adjudged that Uber violated several principles that form part of the Privacy Act 1988, the country’s federal privacy legislation.

On July 23, the OAIC released a report about its investigation of Uber’s highly controversial 2016 breach that it kept under wraps for more than a year.

The OAIC says that the company’s transgressions include failing to:

• take reasonable steps to protect personal information against unauthorised access
• delete or de-identify data that is no longer needed
• take steps to comply with Australian Privacy Principles (APPs)

Uber, whose services include ride-sharing, food delivery, couriers, freight transportation and electric bicycle/scooter rentals, will be required to create an information security program that identifies data risks. It also must conduct regular testing and monitoring, appoint a coordinator for its information security program, and create an incident response plan that complies with specified APPs.

Approximately 1.2 million Australian accounts were affected in the 2016 breach. Of these, some 960,000 were used only as rider accounts and the remaining 240,000-odd accounts were driver accounts (or both driver and rider accounts).

US$100,000 in Bitcoin Paid to Hackers in 2016 Data Breach

In 2019, two US hackers pleaded guilty in connection with a global extortion campaign tied to the theft of data on about 57 million Uber customers and drivers, which took place from October 2016 to January 2017.

The hackers admitted to using the stolen data to extort bitcoin ransom payments from Uber in exchange for permanent deletion of the records. Uber paid the hackers US$100,000 in bitcoin in an attempt to muzzle the issue and did not reveal the breach until November 2017.

Uber Has Three Months to Engage Third Party Data Experts

Uber has been given three months to prepare the following policies, programs and plans to comply with specified APPs:

• a data retention and destruction policy
• an information security program
• an incident response plan

Within another two months, Uber must engage an independent third party (or third parties) to prepare a written report that specifies whether its amended policies and programs have been prepared in accordance with OAIC directions.

In April this year, Ledger and Shopify were hit with a class-action lawsuit over a 2020 data breach. And almost a year ago, Crypto News reported that Australia was subject to almost three significant data breaches every day, with leading cybersecurity and blockchain experts fingering China as the source.