Ride-sharing giant Uber “interfered with” the privacy of 1.2m Australians when it paid cybercriminals $135,000 ($US100,000) to delete stolen data and keep quiet about a massive 2016 data breach, the Office of the Australian Information Commissioner (OAIC) has ruled after a five-year investigation complicated by what the OAIC euphemistically called “significant jurisdictional matters”.

Those “matters” related to the claim of US-based parent company Uber Technologies and Dutch holding company Uber B.V. – to which revenues from Australia and other countries are funnelled – that its overseas location freed it from legal obligations to protect the data of Australian customers.

That data, which had been collected about 1.2m Australian drivers and passengers in the leadup to the October 2016 breach by cybercriminals, had been moved offshore before being compromised along with data on more than 55 million other Uber customers and drivers.

In a stunning lapse of judgement – and a poor reading of data breach disclosure laws that one technology academic called “amateur hour” – Uber paid the cybercriminals what it called a “bug bounty” in exchange for assertions they had deleted the data.

Uber did not disclose the data breach until November 2017, when revelations of the company’s malfeasance emerged – causing a maelstrom of litigation that included class-action lawsuits by the US government and all 50 states, investigations by regulators around the world, and the resignation of several key executives.

Newly appointed president Jeff Jones quit Uber after just seven months, citing a long list of controversies around the “destructive” culture at the company, which settled the litigation in late 2018 by paying a $200m ($US148m) penalty.

OAIC’s ruling, which comes nearly three years later, adds a series of Australian Privacy Act 1988 breaches to Uber’s rap sheet – although the OAIC has not imposed any financial penalties on the company for its callous disregard for Australia’s privacy laws.

The UK Information Commissioner’s Office, by contrast, fined Uber over $715,000 (£385,000) for the impact of the “avoidable data security flaws” on 2.7m UK citizens.

Australian Information Commissioner Angeline Falk, by contrast, was focused on ensuring such a breach doesn’t happen again.

“We need to ensure that in future Uber protects the personal information of Australians in line with the Privacy Act,” she said in announcing the finding that Uber had “interfered with” Australians’ privacy.

A data-sovereignty loophole?

In flagging several violations of the Australian Privacy Principles (APPs), the OAIC ruled that Uber had failed to take reasonable steps to protect the compromised Australians’ personal information from unauthorised access – violating APP 11.1 – or to take reasonable steps to “destroy or de-identify personal information they held”, violating APP 11.2.

Noting jurisdictional issues that had prolonged the investigation considerably, Falk said, “the matter also raises complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group.”

The newly-released formal determination orders Uber to develop and maintain a formal data retention and destruction policy, information security program, and incident response plan that “will ensure the companies comply with the APPs”.

Yet the APPs already include mechanisms to deal with the overseas flow of data about Australians – with APP 8 outlining an “accountability approach” and extraterritoriality provisions that, the OAIC noted in a recent submission to the Privacy Act Review Issues Paper.

These provisions allow data to be transferred across jurisdictional borders where “the APP entity reasonably believes that the overseas recipient is subject to a law or binding scheme” with similar privacy protections.

Many US states and the Dutch government require companies to disclose data breaches, and experts have pointed out that Uber was subject to reporting obligations – but simply ignored them for the year until the breach was disclosed, in a decision that then-Illinois attorney General Lisa Madigan called “just inexcusable”.

Despite the complexities involved in the Uber case, the OAIC argued in its earlier submission that the accountability approach “remains an appropriate way of enabling personal information to flow overseas, whilst ensuring there are meaningful redress mechanisms available to Australians.”

“This is an important mechanism to ensure that individuals’ personal information is still protected in situations where the Privacy Act may not have extraterritorial jurisdiction.”

Uber speaks

In a statement to Information Age, an Uber spokesperson said: “We welcome this resolution to the 2016 data incident. We learn from our mistakes and reiterate our commitment to continue to earn the trust of users.

“We have made a number of technical improvements to the security of our systems, including obtaining ISO 27001 certification of our core rides business information systems and updating internal security policies, as well as making significant changes in leadership, since this incident in 2016.

“We are confident that these changes in security and governance will address the determination made by the OAIC, and will work with a third-party assessor to implement any further changes required."

Uber added it has "already completed an independent assessment of its Information Security Program pursuant to the US Attorneys’ General judgment, which found that Uber’s safeguards are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of personal information of riders and drivers that it maintains, and that Uber maintained an Information Security Program reasonably designed to protect the security, integrity, and confidentiality of the personal information of its riders and drivers."