The Uber data security breach and Australia’s new security legislation

What happened?

Popular ride-hailing app Uber is facing scrutiny worldwide after a massive digital security breach and cover-up was revealed last month. The data breach, performed by two external hackers in October 2016, affected 57 million drivers and passengers using Uber.

The company reportedly paid US$100k to silence the hackers responsible for the breach, successfully concealing the incident for over a year.

The hackers accessed sensitive personal information including the names, email addresses, and phone numbers of more than 50 million users, as well as licence numbers of drivers. Uber has offered assurance that no financial information was accessed, but has not disclosed detailed information about the nature of the breach to the media.

With facts about the incident now being rapidly unveiled, Uber faces liability in several jurisdictions worldwide. Public pressure from the US, UK, the Philippines, and Australia is topping off a year of heavy controversy for the business. 


What does the present and future backlash look like for Uber?

Uber is facing strong criticism not only for the breach itself, but for the immoral cover-up that followed. Data breaches, and the identity theft that often results, are of worldwide concern. Governments, companies, and members of the public all recognise the need for tighter security and mandatory reporting.

Australia will see new data security legislation come into play in early 2018, with the legislation requiring all digital security breaches be reported to the Office of the Australian Information Commissioner (OAIC). Legislation is also tightening in the EU — from May 2018 the General Data Protection Regulation (GDPR) will also impose stronger penalties for failure to report a data breach. In all but two US states, it is already mandatory to report data breaches that involve personal information.

Though the financial consequences for Uber under current regulation are still unclear, this incident comes on the tail of a bad year for the company. After reports of concealed sexual assault and driver mistreatment, underpaid drivers in NYC, and the contentious move by TfL to remove Uber’s licence to operate in London, Uber’s reputation has taken a strong hit in 2017.

Damaged reputation is just one consequence for companies that have reported — or concealed — serious data breaches like that experienced by Uber. With reports suggesting that 2018 will see the incidence of breaches continuing to rise, companies are recognising the need to tighten current data security in order to avoid the inevitable reputation damage and financial consequences of a breach.

Uber is not the only global scale company facing the pressure after a security breach. Yahoo and Equifax, amoung other big names, have experienced breaches of this nature in the last few years.

What does the new legislation mean for organisations like Uber?

With large global companies experiencing these types of breaches and their consequences, the nature of the reporting action taken by big organisations is likely to change dramatically next year. New laws will be cracking down on reporting practices worldwide, especially in the EU and Australia.

If Uber’s data breach had fallen under Australia’s impending laws, the company could be facing far more serious consequences. From February 2018, fines for companies can include financial penalties of up to $1.8 million as well as investigation by the OAIC, court-enforceable undertakings, and orders for compensation.

The same is true of new EU laws, under which fines will reach 4% of annual global turnover, or €20 million, whichever is greater. In the case of Uber, this could entail upwards of $260 million, on 2016 annual global revenue.

With businesses facing such severe consequences for data breaches, there is no room for error in digital security practices in 2018. Businesses in Australia and around the world should be looking to tighten security at every stage of their process.

What can Australian firms do to prevent digital security breaches?

Breaches in security occur when there is a gap in the system. To ensure security of data requires strict protocol from its collection to its destruction. Of course, companies should first assess whether it is truly necessary for them to hold sensitive data.

If it is necessary, all hard drives should be equipped with safeguards and remain updated, and staff should be educated on best practice cyber security. Alarms systems should be put in place to alert the company in the case of a breach. After it is no longer needed, data should be completely, securely, and safely destroyed.

Find a full list of our top 10 ways to avoid a data breach here.

With end-of-life data one of the biggest gaps in current practice Australia wide, we want to assure Australian businesses that there is a safe, secure, and ethical way to deal with data and avoid heavy fines and maintain customer trust.