The Office of the Australian Information Commissioner has just announced its determination over Uber’s data breach incident from 2016.
After a complex investigation, the OAIC determined that Uber has failed in securing the data of over 1.2 million Australians, and failed to follow the rules of its Privacy Act. Thus, the office now wants Uber to comply with the norms in various means.
Uber Tried Covering Up The Data Breach
The US-based Uber Inc technologies and its Dutch-based subsidiary, Uber B.V were blamed by the Office of Australian Information Commissioner on Friday, on various grounds relating to the Uber data breach from 2016.
Back then, Uber systems were compromised and led unauthorized parties to access the sensitive information of over 57 million Uber riders, and over 600,000 Uber drivers worldwide.
After realizing the incident, Uber skipped informing the public and authorities on this issue and instead tried covering up smartly. It paid the hackers through a bug bounty program and asked them not to show up on this matter.
This manipulation was realized by the US a later, and which then fined Uber Inc a staggering $148 million, and later 385,000 pounds by the UK and 600,000 euros by Holland – Uber agreed to settle all these.
And with Australian regulator, the Office of Australian Information Commissioner has now determined the case of Uber’s data breach from 2016, after a “complex” investigation.
As per it, the Australian privacy commissioner, Angelene Falk said that Uber failed to comply with the Australian Privacy Act 1988, by “not taking reasonable steps to protect Australian’s personal information for unauthorized access and to destroy or de-identify the data as required.”
Thus, it’s now asking the company to form an information security program, a data retention and destruction policy, and an incident response plan within three months. Further, Uber should appoint an independent expert to review the actions and report to OAIC within five months.
To this, Uber responded by saying that it has obtained an “ISO 27001 certification of our core rides business information systems and updating internal security policies”.
Also confident that it will address the OAIC determination and also work with a third-party assessor to comply with any new policies in the future.