BLUF

Uber covered up a data breach in 2016 that affected the privacy of 1.2 million Australians; as a result, the Australian Privacy Commissioner has ordered Uber to comply with Australian Privacy Principles.

Summary

In October and November 2016, hackers stole the data of over 57 million people worldwide from Uber's database. Acting out of self-interest, Uber concealed this data breach and did not inform its customers.
Australia's Information and Privacy Commissioner Angelene Falk stated that Uber failed to:
  • Protect the personal data of 1.2 million Australians.
  • Notify those impacted.
  • Conduct an assessment of the personal information accessed. 
  • Comply with the Privacy Act 1988 (APA) and several Australian Privacy Principles (APP) requirements.
Falk ordered Uber to:
Falk requested that Uber:
  • Prepare data retention and destruction policy.
  • Establish an information security program and an individual to run it. 
  • Implement an incident response plan to data breaches.
  • Conduct an independent assessment of Uber's adherence to the APA.