A three-year investigation into a cyber attack that stole data from Uber belonging to 1.2 million Australia has found that the US tech company failed to act appropriately in response and paid the cyber criminals responsible a bug bounty for the breach.
Privacy Commissioner Angelene Falk’s review said Uber “interfered” with the privacy of around 1.2 million local users. But the company argued that it was not subject to Australia’s Privacy Act because the personal information of its Australian customers and drivers had been transferred to servers in the US under an outsourcing arrangement.
Commissioner Falk begged to differ, saying she was satisfied both Uber Technologies, Inc. and Dutch-based Uber B.V. were required to comply with the Privacy Act and failed to protect the personal data of users, which was accessed in a cyber attack in October and November 2016.
Uber also failed to disclose the breach responsibly, and did not conduct a full assessment of what information was accessed until nearly a year after the data breach. It did not publicly disclose the data breach until November 2017, and even then, only told the drivers, not riders.
The Office of the Australian Information Commissioner (OAIC) began its investigation once that disclosure was made.
Privacy Act breached
The Commissioner found the Uber companies breached the Privacy Act by not taking reasonable steps to protect the personal information and destroy or de-identify the data as required. They also failed to take reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles.
“We need to ensure that in future Uber protects the personal information of Australians in line with the Privacy Act,” Falk said.
“The matter also raises complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group.”
She believes greater regulatory action is needed to deal with global companies that store Australian data offshore.
The data was stored in AWS’s Simple Storage Service in the US. The Commissioner found that the hackers obtained GitHub credentials for some Uber Technology employees from a different data breach and gained access to 16 unencrypted backup files containing data belonging to around 57 million people globally. Of those, around 960,000 accounts belonged to Australian customers and 240,000 accounts to drivers.
The data included names, email addresses and mobile phone numbers, the driver licence numbers for some drivers and high level summaries of rides performed, including how much drivers were paid over a week, and salted and hashed versions of then-current user passwords and of previous passwords.
Uber was made aware of the breach when the cyber criminals emailed the company seeking a ransom payment for the data.
Uber paid the attackers a US$100,000 reward through a bug bounty program on the condition that the attackers destroyed the data. There was no evidence of further misuse.
Commissioner Falk said regulatory action was warranted in Australia following action taken in other jurisdictions in relation to the cyber attack.
“Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group,” she said.
Commissioner Falk ordered the Uber companies to:
- prepare, implement and maintain a data retention and destruction policy, information security program, and incident response plan that will ensure the companies comply with the Australian Privacy Principles
- appoint an independent expert to review and report on these policies and programs and their implementation, submit the reports to the OAIC, and make any necessary changes recommended in the reports.