Karimi & Associates Law Firm presents according to ComputerWeekly:
The Office of the Australian Information Commissioner (OAIC) has found that Uber Technologies, Inc. violated the privacy of an estimated 1.2 million Australians, and failed to investigate and disclose a data breach from 2016 promptly.
Information and Privacy Commissioner Angelene Falk stated that Uber violated the Privacy Act by not taking reasonable measures to protect the personal information of customers and drivers from a cyber-attack that happened in late 2016.
As stated by Falk, Uber not only failed to disclose and investigate the breach promptly but rewarded cybercriminals “through a bug bounty program for identifying a security vulnerability.” Falk noted that Uber did not conduct a full assessment of the breach until almost a year after the attack in November 2017, when they finally disclosed the breach to the public.
Stating that regulatory action was necessary and warranted considering actions taken in other countries due to the attack, Falk added:
The matter also raises complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group. This determination makes my view of global corporations’ responsibilities under Australian privacy law clear. Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group.
Falk concluded by ordering Uber and its affiliates to 1) prepare, implement and maintain data retention and destruction policy, information security program, and incident response plan that will ensure compliance with Australian privacy laws; and 2) appoint an independent expert to review and report on these policies and programs and their implementation, submit reports to the OAIC, and make any necessary changes recommended in the reports.