BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Uber Found to Have Breached Australians' Privacy Following 2016 Hack

From: Sophia Kingsbury <sophia.kingsbury () riskbasedsecurity com>
Date: Tue, 27 Jul 2021 11:52:21 -0400
https://www.natlawreview.com/article/uber-found-to-have-breached-australians-privacy-following-2016-hack

In 2017, Uber disclosed to the Office of the Australian Information
Commissioner (OAIC) a breach of its some 57 million global users and
driver’s personal information (including approximately 1.2 million
Australians). Last Friday, the OAIC determined that Uber had breached the
Australian Privacy Act by failing to take reasonable steps to protect
Australians' personal information from unauthorized access.

Despite the breach and Uber’s decision not to individually notify those
affected or report the attack until 2017, no fine has been imposed;
whereas, other jurisdictions imposed large fines for the breach – US ($148
million) and UK (£385,000 pounds). Instead of a fine, the OAIC has ordered
Uber to put together a data breach response plan, information security
program, and data retention and destruction policies and procedures. There
is an independent supervision of these steps which is a popular measure
with the OAIC.

It is interesting to see that Australia did not set a monetary fine despite
the size of the breach and the global industry player involved.

Since the determination, it has been reported that Uber has obtained ISO
27001 certification and has updated its security policies and procedures.

Following the series of ransomware attacks recently, it is also noteworthy
that Uber chose to pay its attackers US $100,000 at the time to delete its
user’s stolen data. Perhaps as suggested by the Ransomware Payments Bill,
mandatory reporting of ransomware attacks would be helpful to better
monitor these types of breaches in Australia, but we wonder if with a
global company such a payment would have fallen into Australian regulatory
reach unless the Australian subsidiary made the payment?

_______________________________________________
BreachExchange mailing list sponsored by Risk Based Security
BreachExchange () lists riskbasedsecurity com

If you wish to Edit your membership or Unsubscribe you can do so at the following link:
https://lists.riskbasedsecurity.com/listinfo/breachexchange
Previous By Date Next
Previous By Thread Next

Current thread: