Canuck privacy commissioner to dig into Uber data breach

Formal investigation launched. Not the first, won't be the last

By Kieren McCarthy in San Francisco

Posted in Business, 11th December 2017 21:55 GMT

Canada's privacy commissioner has launched a formal investigation into the massive data breach concealed by the ride-hailing app company Uber.

Last month, Uber's new CEO revealed that a year previously the details of 57 million customer and driver accounts had been stolen, but the company had decided not to divulge the breach at the time.

Instead, the company paid the hacker – reportedly a 20-year-old Florida man living with his mom - $100,000 to delete the data and keep quiet. It pushed the payment through a bug bounty program to make it seem legitimate.

The news caused both US and UK authorities to launch immediate investigations but Canada's privacy commissioner Daniel Therrien took a more cautious response and asked Uber to file a report explaining the breach and its impact on Canadian citizens.

Florida Man… pockets Uber cash to keep quiet about data breach


That report has presumably been delivered and Therrien didn't like what he saw. Although we know that 57 million accounts in total were affected, and that 2.7 million of them live in the UK, it's still unclear how many of the estimated two million Canadian Uber users were impacted.

The ongoing lack of information lead to Toronto city council last week voting to demand relevant information from Uber as a condition of its licensing agreement.

In addition to these three privacy commissioners investigations, Uber is also being sued for its failure to disclose the breach – a legal requirement in some US states. Canadian law currently doesn’t require disclosure of data breaches but that is almost certain to change, with a proposal to made it a legal requirement complete with a fine up to CA$100,000 for a failure to do so, have already been put out for public consultation.

Uber Canada said it would co-operate with the investigation. "The privacy of riders and drivers is of paramount importance at Uber and we will continue to work with the privacy commissioner on this matter," said a spokesman. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Uber hack: EU data protection bods launch taskforce

Justice commissioner slams biz for 'irresponsible' behaviour

EU's data protection bods join the party to investigate Uber breach told to sever ties with 'grubby, unethical' company

Canada charges chap alleged to run stolen data-mart Leakedsource

Unlike similar services, this one sold purloined passwords

Uber quits GitHub for in-house code after 2016 data breach

Code trove wasn't to blame: Uber didn’t have multifactor authentication on repos that included AWS credentials

Uber sued by Uber for tarnishing the good name of Uber

Can't we all just be Uber-alles?

The North remembers: York scraps Uber's licence over data breach

But taxi biz can restart work in Sheffield

Of course Uber allegedly had a tool to remotely destroy evidence

Early contender emerges for 'least surprising story of 2018'

Florida Man… pockets Uber cash to keep quiet about data breach

That's not how bug bounties work, Travis

Uber v Waymo latest: Google spinoff refused access to Uber internal doc hunt details

Wall of silence remains, albeit with a couple of holes

You're such a goober, Uber: UK regulators blast hushed breach

MP: Funny, you managed to contact customers when TfL put your licence on hold…