[BreachExchange] Uber Found to Have Breached Australians' Privacy Following 2016 Hack
Sophia Kingsbury
sophia.kingsbury at riskbasedsecurity.com
Tue Jul 27 11:52:21 EDT 2021
https://www.natlawreview.com/article/uber-found-to-have-breached-australians-privacy-following-2016-hack
In 2017, Uber disclosed to the Office of the Australian Information
Commissioner (OAIC) a breach of its some 57 million global users and
driver’s personal information (including approximately 1.2 million
Australians). Last Friday, the OAIC determined that Uber had breached the
Australian Privacy Act by failing to take reasonable steps to protect
Australians' personal information from unauthorized access.
Despite the breach and Uber’s decision not to individually notify those
affected or report the attack until 2017, no fine has been imposed;
whereas, other jurisdictions imposed large fines for the breach – US ($148
million) and UK (£385,000 pounds). Instead of a fine, the OAIC has ordered
Uber to put together a data breach response plan, information security
program, and data retention and destruction policies and procedures. There
is an independent supervision of these steps which is a popular measure
with the OAIC.
It is interesting to see that Australia did not set a monetary fine despite
the size of the breach and the global industry player involved.
Since the determination, it has been reported that Uber has obtained ISO
27001 certification and has updated its security policies and procedures.
Following the series of ransomware attacks recently, it is also noteworthy
that Uber chose to pay its attackers US $100,000 at the time to delete its
user’s stolen data. Perhaps as suggested by the Ransomware Payments Bill,
mandatory reporting of ransomware attacks would be helpful to better
monitor these types of breaches in Australia, but we wonder if with a
global company such a payment would have fallen into Australian regulatory
reach unless the Australian subsidiary made the payment?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210727/c9cf3a2e/attachment.html>
More information about the BreachExchange
mailing list