BLUF

Uber covered up a data breach in 2016 that affected the privacy of 1.2 million Australians; as a result, the Australian Privacy Commissioner has ordered Uber to comply with Australian Privacy Principles.

Summary

In October and November 2016, hackers stole the data of over 57 million people worldwide from Uber's database. Acting out of self-interest, Uber concealed this data breach and did not inform its customers.

Australia's Information and Privacy Commissioner Angelene Falk stated that Uber failed to:

Protect the personal data of 1.2 million Australians.

Notify those impacted.

Conduct an assessment of the personal information accessed. 

Comply with the Privacy Act 1988 (APA) and several Australian Privacy Principles (APP) requirements.

Further, Falk said Uber concealed the breach for over 12 months and paid the hackers for their silence.

Falk ordered Uber to:

Review and report on AAP policies and programs.

Submit the reports to the Office of the Australian Information Commissioner, and make the recommended changes.

Falk requested that Uber:

Prepare data retention and destruction policy.

Establish an information security program and an individual to run it. 

Implement an incident response plan to data breaches.

Conduct an independent assessment of Uber's adherence to the APA.

Learn more about how Uber failed to inform their customers that the customer's data had been compromised.

References

Aug 2020 ZDNET Former Uber CSO charged for 2016 hack cover-up

Sep 2020 Corporate Compliance Insights Executive Responsibilities and Consequences: A Case Study of Uber’s Data Breaches

Jul 2021 AOIC Uber found to have interfered with privacy

RAAF RUNWAY: RATIONALE, GUIDELINES, LEARNING OUTCOMES, ETC |