Kiwi users affected by Uber data hack
New Zealand information was stolen in the cyberattack on Uber that compromised data from 57 million riders and drivers.
Uber spokeswoman Nicky Preston confirmed the hack had reached New Zealand Uber users.
Preston said ‘‘no critical info was downloaded’’ or had been released, such as drivers’ licences or credit cards.
However, the names, phone numbers and email addresses of New Zealand users had been accessed by the hackers.
‘‘We’re not releasing numbers and to be completely honest I don’t know the scale,’’ she said.
‘‘While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.’’
Worldwide, 50 million riders had their addresses, phone numbers, names and emails compromised, and 7 million drivers’ details were accessed, including
600,000 US driver’s licence numbers. Uber informed the Privacy Commissioner of the incident on Wednesday, although the hack took place in October
2016, the company told Bloomberg. The company paid hackers US$100,000
(NZ$145,000) to delete the data and keep the breach quiet.
Privacy Commissioner John Edwards said he was disappointed to only now be hearing the details of the breach.
‘‘This kind of incident underscores the importance and urgency of mandatory breach reporting laws, which the Government has been considering since
2011.’’
In a report tabled by Parliament in February, Edwards recommended giving the commission the power to impose civil penalties for serious breaches of privacy under the Privacy Act.
At present, criminal fines for privacy breaches are $2000 for an individual and
$10,000 for a corporation, and the bulk of enforcement happens through the Human Rights Review Tribunal.
The company’s new chief executive, Dara Khosrowshahi, wrote in a blog post that the information was accessed by two individuals through a third-party cloudbased service that Uber uses.
He said the hackers were subsequently identified, and the company ‘‘obtained assurances that the downloaded data had been destroyed’’.