Uber apparently interfered with the privacy of over 1 million Australian users in 2016, says the Office of the Australian Information Commissioner (OAIC). The revelation was made by Angelene Falk, the Information Commissioner and Privacy Commissioner for Australia, on Friday.
57 Million Riders, 600,000 Drivers Affected
It is being claimed that around 1.2 million Australian users, including drivers and consumers alike, had their privacy compromised at the hands of US-based Uber Technologies Inc., and Netherlands-based Uber B.V, after they were subjected to a data breach in October and November 2016.
In 2017, it was found that the data of 57 million Uber riders across the world had been accessed by hackers, along with that of over 600,000 Uber drivers. The service has been charged with trying to hush the matter up, instead of notifying the affected users. Moreover, the company allegedly even paid a hacker to remain mum about the same. The hackers were made to destroy the data they had gained access to. However, the OAIC says that it concerns itself more with whether Uber took the appropriate measures to keep the data safe in the first place.
Failed to Comply to Guidelines
According to Falk, the OAIC found in its investigation that Uber had been in contravention of the Privacy Act 1988, as it had failed to protect the personal data of its Australian users (and perhaps, users elsewhere as well) from unauthorized access, or to “destroy or de-identify” the data as needed.
Moreover, the company also lost out on taking the required measures to implement appropriate “practices, procedures, and systems” to ensure that it complies with the Australian Privacy Principles (APP). As per the determination, Uber also didn’t indulge into a full assessment of the personal information of its users that had been accessed until nearly a year later. Neither did it disclose the issue till November 2017.
The APP 11.1 requires companies to take the appropriate steps to ensure that user data remains protected, while APP 11.2 requires them to delete or destroy any personal information that’s no longer needed for permitted use. The OAIC also found that the APP 1.2 (implementing the required steps to ensure compliance with the guidelines).
The company has been warned against repeating any such acts against, and has been given a period of three months to develop a data retention and destruction policy so as to ensure compliance with the APP 11.2. Additionally, an information security programme is to be set up and an individual is to be assigned its helm. The aim of the programme is to identify risks to personal information of Australian users, which could result in “misuse, interference, or loss” of the information, or its “unauthorized access, modification, or disclosure.”