# AFR: Uber privacy ruling a ‘wake-up call’ for business



## Jack Malarkey (Jan 11, 2016)

_Australian Financial Review_, Friday 27 August 2021, page 31

*Uber privacy ruling a ‘wake-up call’ for business*









Max Mason Senior reporter

Updated Aug 26, 2021 – 12.08pm,first published at 11.20am

A landmark privacy ruling against Uber over a hack of the personal details of 1.2 million Australian customers and drivers is a “wake-up call” for business, according to privacy experts.

They say the ruling by Australian Information and Privacy Commissioner Angelene Falk in July will set a new standard on both data privacy and disclosure of breaches to the regulator.

In 2016, 1.2 million Australians were part of a major hack of more than 57 million Uber customers and drivers.

The company was involved in an alleged cover-up of the breach that included paying a $100,000 ransom to the party who stole the data.

Uber did so under the guise of what the information security industry calls a “bug bounty”, where companies pay uncontracted third parties who find vulnerabilities in their IT systems.

Ms Falk found that Uber failed to comply with a number of Australian Privacy Principles in the Privacy Act. These included taking reasonable steps to protect personal information against unauthorised access or to delete or de-identify personal information that is no longer needed for its permitted purpose, and failing to take steps to have proper systems in place.

David Batch, the national privacy lead at cybersecurity services firm CyberCX, said the privacy commission had made it clear that if the breach had occurred under the Notifiable Data Breaches scheme introduced in 2018, Uber would definitely have been required to disclose.


----------

