Canuck privacy commissioner to dig into Uber data breach

Formal investigation launched. Not the first, won't be the last

By Kieren McCarthy in San Francisco


Canada's privacy commissioner has launched a formal investigation into the massive data breach concealed by the ride-hailing app company Uber.

Last month, Uber's new CEO revealed that a year previously the details of 57 million customer and driver accounts had been stolen, but the company had decided not to divulge the breach at the time.

Instead, the company paid the hacker – reportedly a 20-year-old Florida man living with his mom - $100,000 to delete the data and keep quiet. It pushed the payment through a bug bounty program to make it seem legitimate.

The news caused both US and UK authorities to launch immediate investigations but Canada's privacy commissioner Daniel Therrien took a more cautious response and asked Uber to file a report explaining the breach and its impact on Canadian citizens.

Florida Man… pockets Uber cash to keep quiet about data breach


That report has presumably been delivered and Therrien didn't like what he saw. Although we know that 57 million accounts in total were affected, and that 2.7 million of them live in the UK, it's still unclear how many of the estimated two million Canadian Uber users were impacted.

The ongoing lack of information lead to Toronto city council last week voting to demand relevant information from Uber as a condition of its licensing agreement.

In addition to these three privacy commissioners investigations, Uber is also being sued for its failure to disclose the breach – a legal requirement in some US states. Canadian law currently doesn’t require disclosure of data breaches but that is almost certain to change, with a proposal to made it a legal requirement complete with a fine up to CA$100,000 for a failure to do so, have already been put out for public consultation.

Uber Canada said it would co-operate with the investigation. "The privacy of riders and drivers is of paramount importance at Uber and we will continue to work with the privacy commissioner on this matter," said a spokesman. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Uber hack: EU data protection bods launch taskforce

Justice commissioner slams biz for 'irresponsible' behaviour

EU's data protection bods join the party to investigate Uber breach told to sever ties with 'grubby, unethical' company

Pennsylvania AG sues Uber over 2016 data fail

Not much brotherly love in this Philly court case

Uber fined £385k by ICO for THAT hack of 57m customers' deets

Updated 2.7 million Brits caught up in 'serious failure of data security' says UK data watchdog

Canada charges chap alleged to run stolen data-mart Leakedsource

Unlike similar services, this one sold purloined passwords

Error Canada: Airline tells customers to reset mobile app after attack

Clumsy Canucks app poutine passport data in hacker's hands

Uber quits GitHub for in-house code after 2016 data breach

Code trove wasn't to blame: Uber didn’t have multifactor authentication on repos that included AWS credentials

Uber hopes to butter up Brit transport chiefs with lots of lovely data

App biz flings travel info at capital's transport regulator ahead of licensing decision

Uber sued by Uber for tarnishing the good name of Uber

Can't we all just be Uber-alles?

Uber to dole out $148m settlement among US states over breach it paid $100k to bury

Nice. Ride-hailing app firm also vows to comply with law