Uber’s hidden hack hit Kiwi users
New Zealand information was stolen in the cyberattack on Uber that compromised data from 57 million riders and drivers.
Uber spokeswoman Nicky Preston confirmed the hack had reached New Zealand Uber users.
Preston said ‘‘no critical info was downloaded’’ or had been released, such as drivers’ licences or credit cards.
However, the names, phone numbers and email addresses of New Zealand users had been accessed by the hackers.
‘‘We’re not releasing numbers and to be completely honest I don’t know the scale,’’ she said.
‘‘While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.’’
Worldwide, 50 million riders had their addresses, phone numbers, names and emails compromised, and 7 million drivers’ details were accessed, including 600,000 US driver’s licence numbers.
Uber informed the Privacy Commissioner of the incident on Wednesday, although the hack took place in October 2016, the company told Bloomberg.
The company paid hackers US$100,000 (NZ$145,000) to delete the data and keep the breach quiet.
Privacy Commissioner John Edwards said he was disappointed to only now be hearing the details of the breach.
‘‘This kind of incident underscores the importance and urgency of manda- tory breach reporting laws, which the Government has been considering since 2011.’’
In a report tabled by Parliament in February, Edwards recommended giving the commission the power to impose civil penalties for serious breaches of privacy under the Privacy Act.
At present, criminal fines for privacy breaches are $2000 for an individual and $10,000 for a corporation, and the bulk of enforcement happens through the Human Rights Review Tribunal.
Edwards also recommended raising damages to $100,000 for an individual and up to $1 million for a corporation.
Italian, Dutch, and British privacy watchdog agencies have announced probes into the hack, despite having minimal or no power to issue fines and penalties.
The company’s new chief executive, Dara Khosrowshahi, wrote in a blogpost that the information was accessed by two individuals through a third-party cloudbased service that Uber uses.
Forensics experts have seen no indication that trip location history, credit card numbers, or bank account details had been accessed, Uber said.
Khosrowshahi said the hackers were subsequently identified, and the company ‘‘obtained assurances that the downloaded data had been destroyed’’.