National Post (National Edition)
Privacy czar wants breach report over Uber hack
Canada’s privacy watchdog has asked Uber for more information about how a massive security breach that saw hackers steal personal information about millions has affected Canadians, but said Wednesday it has not yet opened a formal investigation.
Uber revealed on Tuesday that hackers accessed user data stored on a third-party cloud-based service more than a year ago and downloaded personal information — including names, email addresses and phone numbers — from 57 million users. The hackers also stole names and driver’s licence numbers from about 600,000 U.S. drivers. The company said it has fired two employees who led the response to the hack.
A spokesperson for the Office of the Privacy Commissioner of Canada said Uber advised the government it was not able to confirm how many Canadians were affected by the breach.
“We have not opened a formal investigation,” Valerie Lawton, a Privacy Commissioner spokesperson, said in an emailed statement. “We have asked Uber to provide us with a written breach report, in which we would expect them to provide details about how the breach happened and about the impact on Canadians.”
Authorities in the U.S. and U.K. have launched investigations into the breach.
Uber Canada spokesperson Susie Heath said the firm is “working closely with regulatory and government authorities globally,” including the Canadian government. “Until we complete that process, we aren’t in a position to get into more detail,” she said in an emailed statement.
The hacking breach marks yet another blow to Uber, which hired new chief executive Dara Khosrowshahi this summer in the hopes of turning the company around after a turbulent year.
The hack is a sign corporations are not adequately protecting customer information, said Daniel Tobok, a cyber-security expert and CEO of Cytelligence Inc.
“This is literally negligence. These are things that could be prevented.”
Uber said it does not believe riders need to take any action given the breach.
“We have seen no evidence of fraud or misuse tied to the incident,” the company said in a blog post. “We are monitoring the affected accounts and have flagged them for additional fraud protection.”