Thousands of Australian Uber users have likely been caught up in a huge global data breach which saw the ridesharing giant pay hackers a ransom to cover it up.
Uber confirmed last week that the personal data of 57 million Uber users and drivers had been accessed in a hacking attack late last year. The names, email addresses and phone numbers of 50 million Uber users around the world were stolen, while the driver’s licence numbers of seven million Uber drivers in the US were also compromised.
While Uber had a legal obligation to report this breach to authorities, the company instead paid the hackers $US100,000 ($131,000) to delete the information and keep quiet about it, according to Bloomberg.
The company has said that no credit card information, trip location details or other information was taken as part of the hack, and that it believes that the data taken has not been used.
Thousands of Australian Uber users and drivers have likely had their personal information compromised as part of the hack, with the company confirming that it has contacted Australian privacy commissioner Timothy Pilgrim last week to inform him that Australians had been hit.
“We are in the process of notifying various regulatory and government authorities and we expect to have ongoing discussions with them,” an Uber Australian spokesperson said.
“Until we complete that process we aren’t in a position to get into any more details.”
The large-scale global hack was confirmed by Uber CEO Dara Khosrowshahi in a blog post following a report by Bloomberg.
According to Bloomberg, the attack took place in October last year and saw the hackers access the information through a third-party cloud-based service used by the company, rather than a breach of its corporate systems or infrastructure.
Instead of reporting it, the company moved to pay off the hackers, who had contacted Uber requesting a ransom.
Bloomberg reported Uber founder and former CEO Travis Kalanick was informed of the breach and pay-off in November last year.
Khosrowshahi, who took over as Uber CEO earlier this year after Kalanick was forced to resign, said he only “recently” learned of the incident, and is currently working to “repair past mistakes”.
“None of this should have happened, and I will not make excuses for it. We are changing the way we do business,” Khosrowshahi said in the blog post.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorised access by the individuals. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
Since news of the hack has come to light, Khosrowshahi has asked for the resignation of chief security officer Joe Sullivan and also fired another senior executive who reported to him.
He has also tasked Matt Olsen, the former general counsel of the National Security Agency and director of the National Counterterrorism Centre, to develop and structure Uber’s security teams and processes in the future.
The company has said that it will be individually notifying drivers whose license numbers were accessed in the hack and providing them with free credit monitoring and identity theft protection.
It’s not the first time that Uber has openly flouted laws and regulations around the world. While the company was negotiating the bribe with the hackers, it was also in discussions with US regulators over a separate privacy violation, and the company was also fined $20,000 last year for failing to disclose a smaller data breach that took place in 2014.
The news compounded a bad week for Uber in Australia, with the Victorian taxi industry launching a class action against the company for operating illegally in the state before legislation was passed earlier this year.
The company is also under investigation by the Fair Work Ombudsman over the classification and treatment of its drivers.
The data breach comes just months before a mandatory data breach notification scheme is implemented in Australia. The regime will come into effect in February next year, and will require companies to report any big data breaches to the privacy commission and relevant authorities.
Australian Privacy Commissioner Timothy Pilgrim said the Uber hack and its reveal last week should be a wake-up call for Australian businesses.
“It is a timely reminder to Australian businesses and agencies of the reputational value of good privacy practice, and the reputational risks that can follow mishandling of personal data,” Pilgrim said in a statement.
“I also remind organisations that the commencement of the Notifiable Data Breaches Scheme in February 2018 will require them to notify any individuals likely to be at risk of serious harm due to a data breach. Failure to do so could lead to the imposition of penalties provided for in the Privacy Act.”