Business

Uber can't confirm number of Canadians impacted in security breach: privacy commissioner

Canada's federal privacy commissioner says Uber Technologies Inc. can't confirm how many Canadians may be affected by an October 2016 security breach that the riding-hailing firm initially tried to cover up.

Data on 57 million Uber users was taken in hack last year

Uber's disclosure that the data of about 57 million users was stolen in a cyber breach last year has governments in several countries launching investigations. (Eric Risberg/Associated Press)

Canada's federal privacy commissioner says Uber Technologies Inc. can't confirm how many Canadians may be affected by an October 2016 security breach that the riding-hailing firm initially tried to cover up.

The Office of the Privacy Commissioner of Canada told CBC News it has reached out to the company to ask for more information about the breach.

"We have asked Uber to provide us with a written breach report, in which we would expect them to provide details about how the breach happened and about the impact on Canadians," Valerie Lawton, a spokesperson for the privacy commissioner, said in an emailed statement.

The privacy commissioner's office has not opened a formal investigation, but said it is reaching out to its international counterparts.

"The privacy of our riders and drivers is of paramount importance for Uber," said Uber Canada spokesperson Susie Heath.

"That is why we are working closely with regulatory and government authorities globally, including the Federal Privacy Commissioner's Office here in Canada. Until we complete that process we aren't in a position to get into more detail," Heath said.

Authorities in the U.S., the U.K., Australia and the Philippines said they will investigate the company's handling of the breach. Attorneys general in several U.S. states, including Connecticut, Illinois, Massachusetts and New York, said they have launched probes.

Uber CEO Dara Khosrowshahi said in a statement posted Tuesday on the company's website that two individuals from outside the business had inappropriately accessed user data stored on a third-party cloud-based service. 

Dara Khosrowshahi took over as chief executive officer of Uber in August. (Matthew Lloyd/Bloomberg)

Khrosrowshahi said the individuals were able to download load files containing the names and driver's license numbers of around 600,000 drivers in the United States, and some personal information of 57 million Uber users around the world, including names, email addresses and mobile phone numbers.

Uber said Tuesday that in late 2016 it had paid hackers about $100,000 US to destroy the data on the customers and drivers, and had decided not to report the breach to victims or authorities.

Khrosrowshahi acknowledged that the company made a mistake in its handling of the breach, and said two people who led the response to it are no longer with Uber. The company fired its chief security officer, Joe Sullivan, and his deputy, Craig Clark, this week. 

Uber said that while it has not seen evidence of fraud or misuse tied to the incident, it is monitoring affected accounts and have flagged them for additional fraud protection.

Reuters reported that a spokesperson for Uber co-founder and former CEO Travis Kalanick declined to comment on the breach. Replaced as CEO by Khrosrowshahi in August, Kalanick is still on Uber's board of directors.

The breach at Uber is the latest in a string of massive cybersecurity incidents recently. A breach at Equifax resulted in the exposure of the data of roughly 145 million people in the United States, and about 8,000 Canadians.

with files from Reuters