In late 2016, Uber Technologies Inc (UT) and Uber B.V's (UBV) (collectively, the Uber Companies) cloud-based storage service containing both riders’ and drivers’ personal information was subject to an external cyber attack.
That attack resulted in the anonymous attackers accessing and downloading files relating to approximately 57 million individuals worldwide, including 1.2 million Australians.1 UT did not publicly announce the data breach until 12 November 2017.
On 18 December 2018, the Office of the Australian Information Commissioner (OAIC) commenced investigating the data breach. That investigation culminated in the Commissioner handing down her determination on 30 June 2021,2 finding that the Uber Companies had breached a number of the Australian Privacy Principles (APPs) contained in sch 1 of the Privacy Act 1988 (Cth).
The facts
UBV is the company which operates the Uber mobile application (Uber App). When registering an account on the Uber App, users and drivers are required to input a range of personal information.
That personal information was provided by UBV directly to UT which processed and stored the information in accordance with an agreement between it and UBV.
Types of personal information
The information breached by the cyber-attack was contained in cloud-based back-up files which had been created when UT migrated its data to a new system. However, that task had been completed in around 2015 and the back-up files were no longer needed.
Those back-up files contained the following personal information which was ultimately breached:
- names, email addresses and mobile numbers;
- driver’s license numbers (although this only related to approximately 23 Australians);
- one-time locational information, such as the location in which a user first registered an Uber account;
- data used to create receipts, including costs and dates of trips (but not locations);
- driver-related notes;
- high-level summaries of drivers’ payment histories and trips;
- ‘salted3 and hashed4’ versions of then-current user passwords and previous passwords.
There was no evidence that trip history, credit card numbers, bank account numbers, dates of birth or government related identification numbers had been downloaded.
1 Comprised of approximately 960,000 riders’ accounts and 240,000 drivers’ accounts.
2 Commissioner Initiated Investigation into Uber Technologies, Inc. & Uber B.V. (Privacy) [2021] AICmr 34.
3 This refers to a unique string of characters known only to the site which is added to each password before it is hashed.
4 This means the password has been converted into an algorithm known as a ‘hash value’, derived from the combination of both the password and a key known only to the site.
