# Thousands of Australians affected by Uber hack cover-up



## Hugh G (Sep 22, 2016)

*Thousands of Australians affected by Uber hack cover-up*

*By Ben Grubb*

Updated22 November 2017 - 02:43pm

first published at 01:44pm

https://www.brisbanetimes.com.au/wo...ted-by-uber-hack-coverup-20171122-gzqmhj.html

Hundreds of thousands of Australian Uber riders and thousands of local Uber drivers have been caught up in the breach that the ride-sharing company concealed for more than a year.

It comes as The New York Times reported on Wednesday afternoon that not only did Uber conceal the breach, but it paid the hackers off to keep them quiet and disguised the payment as a reward.

Uber failed to disclose a massive breach last year that exposed the data of some 57 million users of the ride-sharing service, the company's new chief executive officer says.

"The company tracked down the hackers and pushed them to sign non-disclosure agreements, according to the people familiar with the matter," the Times reported.

"To further conceal the damage, Uber executives also made it appear as if the payout had been part of a 'bug bounty' - a common practice among technology companies in which they pay hackers attack their software to test for soft spots," it added.










Hundreds of thousands of Australians who have the Uber app installed on their smartphones are likely to be affected by the data breach.

_Photo: Bloomberg_

The personal information of 57 million Uber riders around the world - including their names, email addresses and mobile phone numbers - was stolen as part of the breach.

Furthermore, the personal information of about 7 million drivers was accessed, including about 600,000 US driver's licence numbers, according to Bloomberg.

*It's not yet clear whether Australian uberX drivers had their driver's licences "downloaded" as part of the breach, however, Uber said no social security numbers, credit card details, trip location information or other data was taken.

Uber's Australian arm disclosed in a blog post in October 2015 that there had been over 10 million uberX rides in Australia. It further said that uberX had created "3000 jobs in Sydney", with over a thousand new driver partners being signed up every month across Australia.

Given this, it is expected that tens of thousands of Australian Uber drivers had their data exposed as part of the breach, which was uncovered in October 2016.

And hundreds of thousands of Australians - if not millions - who have the Uber app installed on their smartphones are also likely to be affected (Uber does not disclose exact driver and rider figures in Australia).

A spokesman for Uber's Australia arm told Fairfax Media that the company was "in the process of notifying various regulatory and government authorities".

"We expect to have ongoing discussions with them," the Australian spokesman said.*

"Until we complete that process we aren't in a position to get into any more details."

Meanwhile, Australia's privacy commissioner, Timothy Pilgrim, said in a statement to Fairfax that his office had commenced inquiries with Uber about the breach.

"Incidents such as this are a timely reminder to Australians of the value of the personal information we provide in order to receive products and services," Mr Pilgrim said.

"It is also a timely reminder to Australian businesses and agencies of the reputational value of good privacy practice, and the reputational risks that can follow mishandling of personal data.

"I also remind organisations that the commencement of the Notifiable Data Breaches Scheme in February 2018 will require them to notify any individuals likely to be at risk of serious harm due to a data breach. Failure to do so could lead to the imposition of penalties provided for in the Privacy Act."

Companies based in Australia are not presently required by law to disclose privacy breaches. This will change in February, with fines of up to $1.7 million being levelled against those who act negligently.

Australian security expert Troy Hunt, who runs the very popular haveibeenpwned.com website - which alerts its users when their data has been breached online - said the breach didn't surprise him.

However, he said he was surprised that Uber didn't consider email addresses to be personally identifying information, adding that Uber's concealment of the breach was unlikely the first of its kind.

"There is a lot of stuff out there that we just haven't seen come to light," Mr Hunt said, before adding that he didn't "see how anyone in their right mind can say you can't identify someone based on their email".

Mr Hunt is due to testify before US Congress in Washington next week as an expert on cybersecurity about the impact of data breaches.

The hearing will look at the current challenges facing identity verification and the prevalence of how data breaches are having a serious impact on that.


----------

