The personal information of more than one million Australian Uber users was accessed as part of a huge global data breach that was covered up for more than a year by the ridesharing giant.
It was revealed last month that hackers had accessed the names, emails and mobile numbers of 50 million Uber users around the world in October last year, along with the driver’s licence numbers of seven million drivers in the US.
Instead of informing the users and relevant regulators, Uber paid the hackers $US100,000 ($130,000) to delete the data and stay quiet about it.
The company has now confirmed that 1.2 million Australians were caught up in the data breach, and has submitted this to the Australian Privacy Commissioner.
“We take this matter very seriously and we are happy to answer any questions regulators may have,” an Uber Australian spokesperson said in a statement.
“We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to regain the trust of consumers.”
Uber will not be individually informing the Australians impacted by the data breach, but said that there was no evidence that trip location history, credit card numbers, bank account numbers or date of birth had been accessed.
The huge data breach occurred in October last year, with hackers accessing a third-party cloud-based service used by Uber. The company’s security team paid the ransom to cover the hack up, which was only revealed last month in a media report.
In a blog post confirming the breach, new Uber CEO Dara Khosrowshahi said he was working to right the company’s past wrongs.
“None of this should have happened and I will not make excuses for it. We are changing the way we do business. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said.
Uber’s security practices were also under fire last week in a legal battle it is fighting with driverless car rival Waymo, which is owned by Alphabet. During the court case, it was alleged by a former Uber employee that the company has a specific unit in its security team that attempted to steal programming code and trade secrets from rivals. It was also alleged that Uber employees had been using disappearing chat apps like Wickr to hide these practices.
Waymo is alleging that its secrets were stolen by the tech giant, something which is denied by Uber.
It was revealed last week that a further three Uber security managers have resigned from the company following these controversies.
The initial revelations of the large data breach led to the firing of Uber chief security officer Joe Sullivan, along with one of his deputies.
Under Australia’s incoming mandatory data breach notification scheme, which will come into effect in February, Uber would be legally bound to declare the breach, although it was already required to notify regulators in the US yet failed to do so.