The Colombian data protection authority has ordered Uber to improve its security measures in order to protect the personal data of Colombian users.
Following an investigation the Colombia DPA had found that between October and November 2016, an unauthorised party had accessed personal data that Uber had stored in its third-party cloud provider’s servers.
The unauthorised party gained access by utilising an access key an uber engineer had shared online. Once the access key was used, the hackers were able to download unencrypted files that contained personal data. The hackers were able to access Uber’s GitHub page via passwords that had been exposed prior through data breaches.
The breach had affected 267,000 users in Colombia. Even worse the users were unaware of the breach until more than a year later. Rather than disclosing the breach, Uber had paid the hackers to $100,000 to destroy all the personal data they had obtained.
The Colombia DPA had stated that Uber did not have a policy that stopped engineers from reusing credentials. Additionally from the investigation the regulators discovered that Uber did not implement reasonable access controls to protect the data of the Colombian users – that had been stored in the Amazon S3 database. Uber also failed to inform their users of the data breach that had occurred in 2014.
The DPA have argued that Uber did not take responsibility for the large amounts of personal data, and did not enforce sufficient practices – to which under Colombian Law 1581 of 2012 – it is the responsibility of companies to implement policies and practices to protect users’ personal data.
As a consequence Colombia DPA have ordered Uber:
- To improve and implement a security program that will address all security risks that could result in unauthorised access to personal data, as well as protect the security and confidentiality of the personal data that is stored and accessed by the organisation.
- A data breach program must be developed, implemented and maintained. The program will notify authorities of any personal data breach without any delays, and all users affected will be informed.
- To provide training to employees and contractors to ensure security measures can be carried out.
- To monitor compliance on an ongoing basis.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/