Uber breached the privacy of 1.2 million Australians in 2016, official stats show. 

The federal privacy commissioner has found that Uber failed to appropriately protect the personal data of more than a million local customers and drivers following a cyberattack in 2016. 

The hack impacted 57 million Ubers users and drivers around the world, and was reported to the Office of the Australian Information Commissioner in December 2017.

Uber paid a US$100,000 ransom when it was attacked, in the hope that the culprits would delete stolen data including the names, email addresses and mobile phone numbers of customers, and keep quiet.

The OAIC has now found that Uber breached the Privacy Act by “not taking reasonable steps to protect Australian’s personal information for unauthorised access and to destroy or de-identify the data as required”.

The company also “failed to take reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles”.

“Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability,” the OAIC said in a statement.

“Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017.”

The commission found that regulatory action is warranted, but did not go as far as imposing a fine. 

Uber now has three months to prepare a data retention and destruction policy, information security program and incident response plan, and appoint an independent expert to review the actions and report back to the OAIC within five months.

Uber says it has made a number of technical improvements to the security of its systems since the 2016 incident, including obtaining ISO 27001 certification of its core rides business information systems and updating internal security policies.