The Office of the Australian Information Commissioner (OAIC) has found that Uber Technologies, Inc. violated the privacy of an estimated 1.2 million Australians, and failed to investigate and disclose a data breach from 2016 in a timely manner.
Information and Privacy Commissioner Angelene Falk stated Friday that Uber breached the Privacy Act by not taking reasonable steps to protect the personal information of customers and drivers from a cyber attack that occurred in a two-month period in late 2016.
The OAIC, which focused whether Uber had preventative measures in place to protect personal information of Australian citizens, determined that Uber “failed to take reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles.”
According to Falk, Uber not only failed to disclose and investigate the breach in a timely manner, but rewarded cybercriminals “through a bug bounty program for identifying a security vulnerability.” Falk noted that Uber did not conduct a full assessment of the breach until almost a year after the attack in November 2017, when they finally disclosed the breach to the public.
Stating that regulatory action was necessary and warranted considering actions taken in other countries due to the attack, Falk added:
We need to ensure that in future Uber protects the personal information of Australians in line with the Privacy Act. The matter also raises complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group…This determination makes my view of global corporations’ responsibilities under Australian privacy law clear. Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group.
Falk concluded by ordering Uber and its affiliates to 1) prepare, implement and maintain a data retention and destruction policy, information security program, and incident response plan that will ensure compliance with Australian privacy laws; and 2) appoint an independent expert to review and report on these policies and programs and their implementation, submit reports to the OAIC, and make any necessary changes recommended in the reports.
The full decision of the OAIC was compiled on June 30. Among other things, the independent expert is required to possess a Certified Information Systems Security Professional (CISSP) or Certified Information Systems Auditor (CISA) credential, have at least five years of experience evaluating the effectiveness of computer systems or information system security, and be well-versed with the Australian Privacy Act.
The independent expert is to be appointed by September 30, prepare an expert report by November 30, and present the same to the OAIC within 14 days of the date of the expert report.