Commentary on OAIC Finding on Uber’s Data Breach

Australian Information Commissioner and Privacy Commissioner has determined that Uber interfered with the privacy of an estimated 1.2 million Australians. Uber provided details of the data breach back in 2017, stating that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that Uber used.

Experts Comments

July 23, 2021
George Lee
Regional Vice President for Asia Pacific and Japan
Imperva

The privacy commissioner’s findings around the Uber data breach highlights the need for an effective data security strategy. It should act as a warning for organisations in Australia and indeed Asia, to review their current data security strategy in line with the various data privacy acts in place across the region. 

Data security should never be an afterthought – but sadly it often is, particularly when organisations prioritise speed over security. With the rush to modernise and migrate to

.....Read More

The privacy commissioner’s findings around the Uber data breach highlights the need for an effective data security strategy. It should act as a warning for organisations in Australia and indeed Asia, to review their current data security strategy in line with the various data privacy acts in place across the region. 

Data security should never be an afterthought – but sadly it often is, particularly when organisations prioritise speed over security. With the rush to modernise and migrate to the cloud, organisations often treat data security as a secondary consideration – seeing the risk of falling behind as greater than the risk of potential data loss. But data is the lifeblood of the modern business, and any effective cybersecurity strategy needs to start with securing it.

An effective data security strategy means auditing data to understand exactly where it is stored and the level of risk it presents to the organisation – including dormant databases inside the corporate network, and new databases in the cloud. 

Next, the organisation should only keep what’s necessary: data that has limited or no value as an asset, but high liability, should be deleted. Access to any remaining data should be strictly controlled: database administrators, software developers or marketing specialists don’t need access to the same data, and widening access increases the risk of leakage. 

Finally, data needs to be monitored in a way that the organisation can identify and prevent data leaks, whether deliberate or accidental. These are the bare bones of an effective data security strategy, but they’re essential for effective cyber protection.

Too often, organisations migrate data to the cloud and assume data security is the responsibility of the cloud provider. Unfortunately, that’s not true. Organisations mistakenly believe their cloud providers have visibility and oversight into how sensitive data is being protected. By 2025, it’s believed that at least 95% of cloud security failures will be the fault of the company using the cloud service.

In a shared responsibility model, security teams must take ownership of legacy data security concerns, and must also account for potential vulnerabilities in new cloud environments. Further, there’s the added challenge of understanding where the data lives. Most security teams are doing little more than managing the collection of raw data, but that doesn’t fulfill compliance requirements.

This lack of focus on data security is likely to come home to roost in the year ahead, when data starts to show up across the dark web and customers are impacted.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.