Skip to main content

This June 21, 2017, file photo shows the building that houses the headquarters of Uber, in San Francisco.

Eric Risberg/AP

Privacy advocates are raising alarms at how Uber is handling a year-old security breach that saw hackers steal the personal information of millions of customers around the world.

Uber admitted Tuesday that hackers stole names, email addresses and mobile phone numbers of 57 million riders but has still not said which customers had their data stolen including the number of Canadians affected.

The company said Wednesday that its priority was disclosing information to regulators, though it has known about the breach for close to a year.

Story continues below advertisement

"We are working closely with regulatory and government authorities globally, including the Federal Privacy Commissioner's Office here in Canada. Until we complete that process we aren't in a position to get into more detail," said Uber Canada spokesman Jean-Christophe de le Rue by email.

The company has so far specified only that hackers took the driver's license numbers of 600,000 Uber drivers in the U.S. and that it has not seen evidence of fraud or misuse tied to the incident.

Uber also said that as of Tuesday, two of the individuals who led the response to this incident are no longer with the company.

New York's state Attorney General has confirmed it has opened an investigation into the breach, with state laws requiring companies to give notice if data is stolen.

The company also faces potentially higher than usual fines from British authorities because the firm did not promptly disclose the hack as required by laws in the U.K.

Canada, however, does not have laws requiring disclosure of data breaches, and the Privacy Commissioner of Canada said it has not yet launched a formal investigation.

The agency is, however, reaching out to its international counterparts to discuss the matter, and has asked Uber to provide a written breach report including details on how the breach happened and the impact on Canadian, said Privacy Commissioner spokeswoman Valerie Lawton by email.

Story continues below advertisement

NDP public safety critic Matthew said the Uber breach is the latest reminder that Canada needs to update its laws to deal with the growing threat of data theft.

"This type of hack is once again a reminder that the government needs to listen to the Privacy Commissioner and implement fines for companies who treat Canadians' information this way. The law also needs to be changed to force companies to divulge these hacks and be transparent."

The spate of cybersecurity breaches from Yahoo to Equifax show that more regulation is needed and the threat of reputational damage isn't enough to force companies to act, said Benoit Dupont, Canada Research Chair in Cybersecurity at the University of Montreal.

"Twenty years of looking at hacks shows that the markets aren't good – the government is going to have to be a bit more assertive about how it directs and regulates companies to implement more stringent levels of cybersecurity."

The long-delayed announcement and lack of details so far goes against the importance of transparency in these matters, said Satyamoorthy Kabilan, director of national security at the Conference Board of Canada.

"That hiding of things, or that lack of communication over the breach, that is certainly a major concern for me."

Story continues below advertisement

He said it's important for companies to proactively disclose data breaches so that individuals can respond, so that security experts can learn from the breach, and to retain the trust of customers.

"What we've seen is organizations which are up front about what happened, they tend to retain the trust of users, whereas organizations that don't can be hit very badly."

He said that it's impossible to ensure that data breaches don't happen, so companies need to be prepared for when they do, including how to communicate with users.

"In today's complex, interconnected world, it's impossible to have 100 per cent security, so you also need to be prepared with what to do should something bad happen."

The Uber breach is only the latest disclosure of numerous major data breaches in recent years involving prominent companies.

Earlier this year, credit reporting service Equifax waited several months before revealing this past September that hackers had stolen the Social Security numbers of 145 million Americans.

Equifax also did not immediately disclose how many Canadians were affected even as it provided specifics about the number of Americans and Brits who were impacted.

It later said only about 8,000 Canadians were affected.

Report an error
Tickers mentioned in this story
Unchecking box will stop auto data updates
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

If your comment doesn't appear immediately it has been sent to a member of our moderation team for review

Read our community guidelines here

Discussion loading ...

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.