14 DAY TRIAL // Uber experienced a data breach 5 years ago that affected over 57 million global users and drivers, including about 1.2 million Australian citizens, according to National Law Review.
The company notified the Office of the Australian Information Commissioner (OAIC) about the incident at the time. Then again, the agency said last Friday that Uber was found to be in violation of the Australian Privacy Act for failing to take any reasonable steps to prevent unauthorized access to Australian personal information.
No fine has been given, despite the infringement, Uber's decision not to inform the victims of the attack individually or report the incident in 2017. However, other jurisdictions have imposed massive fines for the violation, including the United States - $148 million and Great Britain - £385,000.
Uber has been required to develop a data infringement response plan, a security program for information, and rules and processes for the preservation and disposal of data, rather than being fined, by the Office of the Attorney General. The procedures are subject to independent oversight, whereby the OAIC considers to be beneficial.
Even though the data breach was huge, Australia chose not to punish Uber
It is noteworthy that Australia did not impose a monetary penalty despite the severity of the breach and the involvement of a major global business participant in the case.
Uber has strengthened its security rules and procedures after the decision was made and has been accredited to ISO 27001 since then. Following a recent wave of ransomware attacks, Uber has also opted to pay its attackers US$100,000 in order to get the stolen data from its consumers restored.
The Ransomware Payments Bill suggests that mandatory reporting of ransomware attacks would be beneficial in order to better monitor these types of breaches in Australia. It remains to be seen if such payments would have been subject to Australian regulatory supervision if the payment had not been made by the Australian subsidiary while working with a multinational corporation.