Privacy commissioner opens probe into Uber hack
TORONTO Canada’s Office of the Privacy Commissioner has launched a formal investigation into the massive security breach at Uber that saw hackers steal personal information from millions in 2016.
A spokesperson for Privacy Commissioner of Canada Daniel Therrien confirmed that the office has opened a formal investigation but did not provide additional details, citing confidentiality provisions under the Personal Information Protection and Electronic Documents Act (PIPEDA).
Jill Clayton, Alberta’s Information and Privacy commissioner, has also opened an investigation into the data breach. Alberta privacy law requires that organizations that have experienced a security breach involving personal information notify the commissioner of the breach without reasonable delay. The day after news of the hack was made public, Uber had not yet provided the province with a breach report.
Uber’s chief executive Dara Khosrowshahi revealed in a blog post on Nov. 21 that hackers accessed user data stored on a thirdparty cloud-based service more than a year ago and downloaded information — including names, email addresses and phone numbers — from 57 million users. The hackers also stole names and driver’s licence numbers from about 600,000 U.S. drivers. The company said it let go two employees who led the response to the hack.
Authorities in the United States and United Kingdom launched investigations into the breach shortly after the hack was revealed. Canada’s privacy watchdog initially asked Uber to supply more information about the breach.
Xavier Van Chau, a spokesperson for Uber Canada, did not provide more details about how many Canadians were affected by the hack.
“The privacy of riders and drivers is of paramount importance at Uber and we will continue to work with the Privacy Commissioner on this matter,” Van Chau said in an emailed statement.
Information about the hack has slowly trickled out since the company disclosed the breach last month. According to a Reuters report citing three sources, a 20-year-old Florida man was behind the breach and was paid $100,000 by Uber to destroy the data he obtained through a “bug bounty” program used to identify coding vulnerabilities.