In 2017, Uber disclosed to the Office of the Australian Information Commissioner (OAIC) a breach of its some 57 million global users and driver’s personal information (including approximately 1.2 million Australians). Last Friday, the OAIC determined that Uber had breached the Australian Privacy Act by failing to take reasonable steps to protect Australians' personal information from unauthorized access.
Despite the breach and Uber’s decision not to individually notify those affected or report the attack until 2017, no fine has been imposed; whereas, other jurisdictions imposed large fines for the breach – US ($148 million) and UK (£385,000 pounds). Instead of a fine, the OAIC has ordered Uber to put together a data breach response plan, information security program, and data retention and destruction policies and procedures. There is an independent supervision of these steps which is a popular measure with the OAIC.
It is interesting to see that Australia did not set a monetary fine despite the size of the breach and the global industry player involved.
Since the determination, it has been reported that Uber has obtained ISO 27001 certification and has updated its security policies and procedures.
Following the series of ransomware attacks recently, it is also noteworthy that Uber chose to pay its attackers US $100,000 at the time to delete its user’s stolen data. Perhaps as suggested by the Ransomware Payments Bill, mandatory reporting of ransomware attacks would be helpful to better monitor these types of breaches in Australia, but we wonder if in with a global company such a payment would have fallen into Australian regulatory reach unless the Australian subsidiary made the payment?