100,000 Kiwis in massive Uber hack
No credit card or bank account information stolen but security breach kept quiet for more than a year
About 100,000 New Zealand customers and drivers were caught up in a mass hack on ride-sharing company Uber; a security breach that was kept quiet for more than a year.
The Office of the Privacy Commissioner said for nearly all individuals, the downloaded files included names, email addresses and mobile phone numbers.
A spokeswoman said: “We also understand that there is no indication that trip location history, credit card numbers, bank account numbers, or dates of birth were in the files that were downloaded.”
The Office of the Privacy Commissioner had not received any complaints from affected individuals.
“Uber has said that they are contacting all drivers with driver’s licence numbers in the downloaded files and providing all those drivers with free identity theft protection,” the spokeswoman said.
Uber Technologies faces at least three probes in Europe following revelations hackers stole vast amounts of personal data about customers and drivers. Some 57 million drivers and customers were affected.
Uber formally informed the commissioner’s office last month. The breach occurred late in 2016.
An Uber spokesman last month said the hackers obtained names, phone numbers and email addresses but not credit card or bank account information, nor location history.
Privacy Commissioner John Edwards at that time said while he was pleased the local representative of Uber had notified his office of the issue, “the one-year gap between the breach and notification shows why breach notification should be mandatory . . . People cannot take the action they need to take if they don’t know about the data breach in the first place,” he said.
Uber last month ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a US$100,000 payment to the attackers.
While some European watchdogs’ fining powers are minimal, most of the current 28 EU regulators have no powers to levy penalties at all. This will change in May 2018, when dataprotection authorities across the bloc will get the same powers to fine companies, including US firms, as much as 4 per cent of annual sales.
Uber’s chief executive Dara Khosrowshahi said none of this should have happened. “I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
reporting: Washington