No penalty for Uber’s data breach affecting 1.2 million AustraliansAug 2021 | Cyber Risk
In late 2016, Uber Technologies Inc (UT) and Uber B.V's (UBV) (collectively, the Uber Companies) cloud-based storage service containing both riders’ and drivers’ personal information was subject to an external cyber attack.
That attack resulted in the anonymous attackers accessing and downloading files relating to approximately 57 million individuals worldwide, including 1.2 million Australians.1 UT did not publicly announce the data breach until 12 November 2017.
On 18 December 2018, the Office of the Australian Information Commissioner (OAIC) commenced investigating the data breach. That investigation culminated in the Commissioner handing down her determination on 30 June 2021,2 finding that the Uber Companies had breached a number of the Australian Privacy Principles (APPs) contained in sch 1 of the Privacy Act 1988 (Cth).
UBV is the company which operates the Uber mobile application (Uber App). When registering an account on the Uber App, users and drivers are required to input a range of personal information.
That personal information was provided by UBV directly to UT which processed and stored the information in accordance with an agreement between it and UBV.
Types of personal information
The information breached by the cyber-attack was contained in cloud-based back-up files which had been created when UT migrated its data to a new system. However, that task had been completed in around 2015 and the back-up files were no longer needed.
Those back-up files contained the following personal information which was ultimately breached:
- names, email addresses and mobile numbers;
- driver’s license numbers (although this only related to approximately 23 Australians);
- one-time locational information, such as the location in which a user first registered an Uber account;
- data used to create receipts, including costs and dates of trips (but not locations);
- driver-related notes;
- high-level summaries of drivers’ payment histories and trips;
- ‘salted3 and hashed4’ versions of then-current user passwords and previous passwords.
There was no evidence that trip history, credit card numbers, bank account numbers, dates of birth or government related identification numbers had been downloaded.
Response to the incident
UT first become aware of the incident on 14 November 2016, following receipt of an anonymous email from one of the attackers demanding money.
Following receipt of that email, UT:
- ‘rotated’ the site’s compromised access key;
- introduced two-factor authentication for the affected servers;
- paid US$100,000 to the attackers;
- obtained written assurances from the attackers that the downloaded data had been destroyed and that they would not disseminate the data; and
- engaged a forensic IT consultant firm, Mandiant, to produce reports regarding the incident. (Those reports were not provided to UT by Mandiant until 2018 and detailed the types of personal information impacted, as outlined above).
On 21 November 2017, after those steps had been taken, UT publicly announced the incident. UT then contacted drivers whose driver’s license numbers had been accessed and enabled users of the Uber App located in Australia to contact them to raise concerns or ask questions (however those individuals were not actually contacted by the Uber Companies).
UT also tagged the compromised accounts with additional fraud protection and implemented further security measures and training internally.
The Commissioner considered whether the Uber Companies had interfered with the privacy of approximately 1.2 million Australian by breaching:
- APP 11.1, which requires an entity to take reasonable steps to protect personal information against unauthorised access;
- APP11.2, which requires an entity to take reasonable steps to delete or de-identify personal information that it no longer needed for a permitted purpose; and
- APP 1.2, by failing to take reasonable steps to implement practices, procedures and systems relating to the entity’s functions or activities to ensure compliance with the APPs.
APP 11.1 – Protecting information against unauthorised access
Entities are required to take reasonable steps to protect information they hold from unauthorised access.
The steps an entity is required to take depend on the particular circumstances, including the size, resources and complexity of the entity, the amount and sensitivity of personal information held, the potential harm to individuals if the information is accessed, and the time, cost and practical implications of implementing a particular security measure.
UT submitted that it took the following reasonable steps prior to the incident:
- implementing a security tool which restricted its employees’ access to credentials, encryption keys and other sensitive information;
- encouraging engineers to rotate access keys on a regular basis;
- implementing processes to backup, encrypt and delete files;
- requiring multi-factor authentication for individual employees to access the storage cloud; and
- providing privacy and security training to all employees as part of their on-boarding process, and providing further annual training.
UBV submitted that it relied on UT’s skills and knowledge to assess and implement appropriate measures as contemplated in an agreement between it and UT regarding its management of the data.
The Commissioner acknowledged the steps taken above but found that the Uber Companies had nonetheless breached APP 11.1 as there were deficiencies in their security processes.
In respect of UT, the Commissioner held that those deficiencies included that:
- there was no policy requiring access keys to be rotated regularly, and it was unclear how regularly this occurred;
- multi-factor authentication was not required for all types of access to the relevant servers. For example, for programmatic access users were only required to enter the access key. Programmatic access allows users to use a tool to input automated standard commands to access and manage large volumes of data; and
- the back-up files had not been encrypted, and UT did not identify any policies regarding the encryption or deletion of back-up files.
In respect of UBV, the Commissioner found that it was not reasonable for it to almost entirely rely on UT’s skill and knowledge, and its obligations under the agreement between them because:
- it had entrusted a substantial amount of Australians’ personal information to UT;
- there was a foreseeable risk of adverse consequences if that information was accessed without authorisation; and
- UT had ‘multiple deficiencies’ in its information handling practices (as outlined above).
The Commissioner found that UBV could have at least conducted independent assessments or audits to confirm UT was promptly notifying it about any data breaches or security incidents.
APP 11.2 – Destroying or de-identifying information
The Commissioner also found that it was not reasonable for the Uber Companies to not delete or de-identify the back-up files which were accessed as they were no longer needed for any purpose (and had not been needed since approximately 2015).
The Commissioner found that the Uber Companies should have at least:
- adopted and implemented a policy and procedure to identify whether manually created back-up files containing personal information were needed for a permissible purpose under the APPs, and if not that they would be deleted or de-identified; and
- operationalised those policies by providing specific training to employees and implementing processes to monitor compliance with them.
APP 1.2 – Compliance with the APPS
APP 1.2 imposes an overarching obligation on entities to take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs and to deal with complaints or inquiries from individuals regarding compliance with the APPs.
The Commissioner had already found that reasonable steps had not been taken to implement appropriate policies and procedures to comply with the APP.
The Commissioner was also critical of the Uber Companies’ response to the incident. In particular, the Commissioner noted that the Uber Companies:
- focused on paying the attackers, rather than identifying the vulnerability in its system and disclosing that vulnerability to affected individuals;
- did not appoint the IT experts, Mandiant, until 11 months after the incident;
- did not make a public statement to affected Australian drivers until 12 months after the incident; and
- did not have in place an incident response plan providing timelines for the above steps to occur, or a framework for determining what information was accessed and which individuals needed to be notified.
In light of those matters, the Commissioner also found the Uber Companies had breached APP 1.2.
As the investigation was commenced on the Commissioner’s own initiative, she was not able to order the Uber Companies pay compensation in the absence of any individuals supplying evidence of loss or damage. The Commissioner confirmed no individual complaints had been received by the OAIC.
In considering the appropriate remedy, the Commissioner had regard to penalties imposed on the Uber Companies in other jurisdictions, namely in:
- the United Kingdom, a fine of GBP385,000 (approximately AUD$727,344);
- the Netherlands, a fine of EUR600,000 (approximately AUD$960,753); and
- America, to make certain changes to their privacy policies and obtain biennial third-party assessments for the next 20 years.
The Commissioner made the following declarations:
- Within 3 months, the Uber Companies must prepare policies and programs, to be reviewed by an independent expert;
- Within 5 months, that independent expert must prepare a written report regarding the policies and programs to be provided to the Commissioner;
- Within 12 months, the Uber Companies must implement any policies and programs (with any recommendations from the independent expert or Commissioner); and
- On or about 30 months after the date of this determination, the independent expert will conduct a review of the Uber Companies’ implementation and maintenance of the policies and programs and prepare a supplementary report for the Commissioner. If that report includes any recommendations, they must be implemented within 6 months, with written confirmation of that implementation to be provided by the independent expert to the Commissioner.
This determination provides a useful framework of the Commissioner’s expectations of the steps entities should be taking to protect individuals’ privacy.
It is not sufficient to merely implement policies and procedures, without operationalising those policies by providing appropriate training to employees and monitoring compliance with those policies on an ongoing basis.
It also makes it clear that an entity’s obligations under the APPs cannot be delegated. If an entity contracts another entity to store and manage the data it collects, it must ensure that entity is complying with the APPs. The OAIC will not accept that an entity placed blind reliance on another entity to manage that data.
1 Comprised of approximately 960,000 riders’ accounts and 240,000 drivers’ accounts.
2 Commissioner Initiated Investigation into Uber Technologies, Inc. & Uber B.V. (Privacy)  AICmr 34.
3 This refers to a unique string of characters known only to the site which is added to each password before it is hashed.
4 This means the password has been converted into an algorithm known as a ‘hash value’, derived from the combination of both the password and a key known only to the site.
This article may provide CPD/CLE/CIP points through your relevant industry organisation.
The material contained in this publication is in the nature of general comment only, and neither purports nor is intended to be advice on any particular matter. No reader should act on the basis of any matter contained in this publication without considering, and if necessary, taking appropriate professional advice upon their own particular circumstances.