Uber isn’t saying how many Canadians were hit in its hack
TORONTO — Privacy advocates are raising alarms at how Uber is handling a year-old security breach that saw hackers steal the personal information of millions of customers around the world.
Uber admitted Tuesday that hackers stole names, email addresses and mobile phone numbers of 57 million riders but has still not said which customers had their data stolen including the number of Canadians affected.
The company said Wednesday its priority was disclosing information to regulators, though it has known about the breach for close to a year.
“We are working closely with regulatory and government authorities globally, including the federal Privacy Commissioner’s Office here in Canada. Until we complete that process we aren’t in a position to get into more detail,” Uber Canada spokesperson JeanChristophe de le Rue said by email.
The company has so far specified only that hackers took the drivers licence numbers of 600,000 Uber drivers in the U.S. and it has not seen evidence of fraud or misuse tied to the incident.
New York’s state attorney general has confirmed an investigation into the breach has been opened, with state laws
requiring companies to give notice about stolen data.
The company also faces potentially higher than usual fines from British authorities because the firm did not promptly disclose the hack as required by laws in the U.K.
Canada, however, does not have laws requiring disclosure of data breaches, and the Privacy Commissioner of Canada said it has not yet launched a formal investigation.
The agency is, however, reaching out to its international counterparts to discuss the matter, and has asked Uber to provide a written breach report including details on how the breach happened and the impact on Canadians, said Privacy Commissioner spokesperson Valerie Lawton by email.
The NDP said the Uber breach is the latest reminder that Canada needs to update its laws to deal with the threat of data theft.
“This type of hack is once again a reminder that the government needs to listen to the Privacy Commissioner and implement fines for companies who treat Canadians’ information this way,” the NDP said.
“The law also needs to be changed to force companies to divulge these hacks and be transparent.”
The spate of cybersecurity breaches from Yahoo to Equifax show that more regulation is needed and the threat of reputational damage isn’t enough to force companies to act, said Benoit Dupont, Canada Research Chair in Cybersecurity at McGill University.
“Twenty years of looking at hacks shows that the markets aren’t good — the government is going to have to be a bit more assertive about how it directs and regulates companies to implement more stringent levels of cybersecurity.”
The long-delayed announcement and lack of details so far goes against the importance of transparency in these matters, said Satyamoorthy Kabilan, director of national security at the Conference Board of Canada.
“That hiding of things, or that lack of communication over the breach, that is certainly a major concern for me.”
He said it’s important for companies to disclose data breaches so individuals can respond, so security experts can learn from the breach.
“What we’ve seen is organizations which are up front about what happened, they tend to retain the trust of users, whereas organizations that don’t can be hit very badly.”