Australia’s Response to The Uber Privacy Breach: Fallout from Uber Paying Hackers to Conceal a Massive Data Breach
In July 2021, the Australian Privacy Commissioner issued a determination relating to Uber’s well publicised data breach from 5 years earlier, finding that Uber had interfered with the privacy of Australians. Although no damages or compensation were awarded as a result of the interference, the decision raises a number of interesting issues.
Background to Uber Privacy breach
In October and November 2016, two hackers accessed a third-party cloud-based service Uber used to store user data and stole the data of 57 million global users (the Uber Privacy Breach). The data stolen includes the names and driver’s license numbers of around 600,000 drivers, as well as the names, email addresses, and mobile phone numbers of other users. Instead of notifying relevant regulatory authorities and the affected users about the breach, Uber quietly paid the hackers $100,000 to destroy the data and attempted to sweep the incident under the rug, with details only coming to light in 2017. You can read Uber’s Statement on the incident here for further details.
An estimated 1.2 million of the affected users are Australians. As a result, the Office of the Australian Information Commissioner (OAIC) initiated an investigation into Uber to ascertain whether the rideshare giant breached the Privacy Act 1988 (Cth) (the Privacy Act) and the Australian Privacy Principles (APPs). The outcome: It was determined that Uber failed to comply with the APPs. But there are a number of important findings in the decision.
Important Findings in the OAIC’s Investigation into the Uber Privacy Breach
Uber Must Comply with Australian Privacy Laws
This investigation raised “complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information”. The Australian Privacy Act applies to organisations that carry on business in Australia (as well as organisations incorporated in Australia etc). The interpretation of what it means to be carrying on business’ in Australian in the privacy context has been considered before (see the Ashley Madison decision and the earlier investigation into the Sony breach). But it was considered in some detail by the Commissioner in the Uber case.
Uber argued that personal information about Australians had been directly transferred to servers in the United States under an outsourcing arrangement, without thnteraction with any Australian based Uber entity. Based on this, the US-based company argued it was not subject to the Privacy Act as it was not carrying on business in Australia.
It was determined that the US branch of Uber, Uber Technologies, Inc. engaged in repetitive and permanent commercial activities in Australia, despite not having a physical presence in Australia. On the facts, this was sufficient to establish that UTI was subject to the Privacy Act.
Uber’s Breaches of the Privacy Act & Failure to Comply with the APPs
Ultimately, it was found that Uber interfered with the privacy of 1.2 million Australians by failing to comply with two of the APPs, namely:
- APP 11.1: requirement to take reasonable steps to protect personal information against unauthorised access
- APP 11.2: requirement to take reasonable steps to delete or de-identify personal information that is no longer needed for a permitted purpose.
Uber also failed to “take reasonable steps to implement practices, procedures and systems relating to the entity’s functions or activities, to ensure compliance with the APPs, as required by APP 1.2.
Consequences of the Uber Privacy Breach
As a result of the breach, Uber must make some changes to the way it manages the personal information it collects on Australians by 23 October 2021. These changes include that Uber must:
- Implement a compliant data retention and destruction policy.
- Implement a more robust and compliant information security program.
- Allocate responsibility for the information security program to an employee or employees.
- Train its employees who have access to Australian users’ personal information.
- Implement a compliant incident response plan.
- Engage a third-party expert to prepare a written report on Uber’s compliance with the determination by December 23.
Privacy 108’s Thoughts on the OAIC’s Determination
The Federal Trade Commission also issued its decision and order to Uber in 2018, requiring Uber to implement a comprehensive privacy program in the US and submit to biennial third-party assessments for a period of 20 years.
In comparison, Australia’s regulators have been relatively sluggish in their response to the Uber privacy breach – with the decision being released on 30 June 2021 (following receipt of notification of the data breach in 2017).
It has been reported that the failure to seek a penalty for breach was because none of the affected individuals filed a complaint. This might be because they did not know of the data breach, not having been notified about it at the time. The terms of the enforceable order are also relatively lacklustre when compared to the outcome in other jurisdictions. Although the time frames for designing and implementing new security programs are aggressive, Uber is really only being asked to start complying with Australian law and provide evidence of that compliance. The requirements to be met are amongst the most basic that any organisation should have in place:
- Data retention and destruction policy;
- An information security program;
- Incident response capability;
- Training and awareness.
For an organisation that processes the details of over 1 million Australians, including their location data, it might be expected that much more rigorous security controls might be expected to be in place.
There is no order for ongoing monitoring of the rideshare giant’s compliance – and no penalty of substance for their past noncompliance.
While this determination doesn’t strongly incentivise compliance with the Australian Privacy Act and APPs, compliance remains important. The investigation took a long time and would have involved significant internal resources. There will also be significant costs in the implementation of the additional security controls and their review by a third party expert, to be retained by Uber at its own expense.
There are benefits to implementing strong privacy protections, including increased consumer trust and loyalty and decreased risk of reputational or financial harm in the event of a breach.
Contact us to improve your organisation’s privacy program.