Companies in Australia may be concealing data breaches in much the same way Uber has, a JLT cyber expert says.

The US-based ride-sharing giant failed to report a huge breach that exposed the data of 57 million users – including an unknown number of Australians – for more than a year, instead paying the hackers more than $100,000 to delete the information.

JLT Cyber Security Specialist Samuel Rogers told insuranceNEWS.com.au similar cover-ups are almost certainly occurring here.

And while legislation takes effect in February to mandate breach notification, Mr Rogers believes many companies are unaware.

Penalties for failing to comply with the new legislation include fines of up to $360,000 for individuals and up to $1.8 million for organisations. 

“The fact this went unreported for a year shows companies can keep things under wraps,” Mr Rogers said. “At the moment there are undoubtedly things in Australia we are not learning about. Some companies believe that if you don’t need to tell anyone, why would you?

“When the law comes into effect, we will hear about more, but I’m not sure how many companies will comply. A lot of organisations are not even aware of the changes, and there’s a lot of work to be done to raise awareness.”

Mr Rogers believes Uber will suffer reputational damage from the cover-up.

“The situation becomes a lot worse if you don’t notify. For at least a year all their customers could have been taking steps to protect themselves from identity theft and so on, but they were not given the opportunity.

“It undermines the trust between the organisation and consumers. The fact they paid that ransom rather than report it is not a good look.”

The Australian Information and Privacy Commissioner has launched an investigation into the Uber incident.