FINANCIAL POST
PRIVACY WATCHDOG OPENS UBER HACK PROBE.
TORONTO • Canada’s Office of the Privacy Commissioner has launched a formal investigation into the massive security breach at Uber that saw hackers steal personal information from millions in 2016.
A spokesperson for Privacy Commissioner of Canada Daniel Therrien confirmed that the office has opened a formal investigation but did not provide additional details, citing confidentiality provisions under the Personal Information Protection and Electronic Documents Act ( PIPEDA).
Jill Clayton, Alberta’s Information and Privacy Commissioner, has also opened an investigation into the data breach. Alberta privacy law requires that organizations that have experienced a security breach involving personal information notify the commissioner of the breach without reasonable delay. The day after news of the hack was made public, Uber had not yet provided the province with a breach report.
Uber’s chief executive Dara Khosrowshahi r evealed in a blog post on Nov. 21 that hackers accessed user data stored on a thirdparty cloud- based service more than a year ago and downloaded i nformation — including names, email addresses and phone numbers — from 57 million users. The hackers also stole names and driver’s licence numbers from about 600,000 U. S. drivers. The company said it let go two employees who led the response to the hack.
Authorities in the United States and United Kingdom l aunched i nvestigations into the breach shortly after the hack was revealed. Canada’s privacy watchdog initially asked Uber to supply more information about the breach.
Xavi e r Van Chau, a spokesperson for Uber Canada, did not provide additional details about how many Canadians were affected by the hack.
“The privacy of riders and drivers is of paramount importance at Uber and we will continue to work with the Privacy Commissioner on this matter,” Van Chau said in an emailed statement.
Last week, Toronto’s city council joined those asking for more details about the hack and voted in favour of a motion that demanded Uber disclose information related to the data breach in order to find out how many people in Toronto were affected.
Information about the hack has slowly trickled out since the company disclosed the breach last month. According to a Reuters report citing three sources, a 20-year-old Florida man was behind the breach and was paid $ 100,000 by Uber to destroy the data he obtained through a “bug bounty” program used to identify coding vulnerabilities. Uber made the payment to confirm the hacker’s identity and have him sign a nondisclosure agreement to prevent further wrongdoing, Reuters reported.
T he hacki ng breach marked the latest blow in what has proven to be a turbulent year for the company.
Uber hired Khosrowshahi this summer in the hopes of bringing more stability to the company. The move came shortly after former chief executive and co-founder Travis Kalanick resigned after a lengthy investigation that was prompted by a former engineer publicly accusing Uber of sexual harassment and discrimination.