The theft of details on millions of Uber customers, and the company’s efforts to cover up the breach, have raised alarms among privacy experts and renewed calls for better data protection laws in Canada.
FILE – This Wednesday, March 1, 2017, file photo shows an exterior view of the headquarters of Uber in San Francisco. Uber paid $100,000 to hackers who stole data on the ride-hailing companyÄôs drivers and riders, then kept the massive data breach quiet for a year. This latest stain on UberÄôs reputation also raises serious questions about ransom payments to hackers, and legal implications as states and federal governments investigate whether Uber violated laws about notifying consumers about their stolen data. (AP Photo/Eric Risberg, File)
Uber admitted Tuesday that hackers stole names, email addresses and mobile phone numbers of 57 million riders close to a year ago. It has also acknowledged that it paid US$100,000 to the thieves to have the data destroyed.
“That hiding of things, or that lack of communication over the breach, that is certainly a major concern for me,” said Satyamoorthy Kabilan, director of national security at the Conference Board of Canada.
He said it’s important for companies to be proactive about disclosures so victims can respond, security experts can learn from the breach, and companies can maintain the trust of customers.
“What we’ve seen is organizations which are up front about what happened, they tend to retain the trust of users, whereas organizations that don’t can be hit very badly.”
So far Uber has provided few details about the breach, specifying that hackers took the driver’s licence numbers of 600,000 Uber drivers in the U.S. but not providing any country breakdowns about affected customers, including how many of its roughly two million Canadian users were hit.
The company said Wednesday that its priority was disclosing information on the year-old breach to regulators.
“We are working closely with regulatory and government authorities globally, including the Federal Privacy Commissioner’s Office here in Canada. Until we complete that process we aren’t in a position to get into more detail,” said Uber Canada spokesman Jean-Christophe de le Rue by email.
News of the breach sent global regulators into action, with New York’s state Attorney General confirming it has already opened an investigation and U.K. authorities saying the company faces potentially higher than usual fines because it didn’t disclose the hack.
Both jurisdictions have laws requiring companies to disclose data thefts, unlike Canada where such laws are still only in the works.
The NDP’s public safety critic Matthew said by email that the Uber breach shows that the government must act faster in implementing laws that would protect information and deal with the growing threat of data theft.
“This type of hack is once again a reminder that the government needs to listen to the Privacy Commissioner and implement fines for companies who treat Canadians’ information this way. The law also needs to be changed to force companies to divulge these hacks and be transparent.”
Changes to the Personal Information Protection and Electronic Documents Act that would require disclosure of breaches and fines for non-compliance are on the way, with public consultations having wrapped up in early October.
The government hasn’t said when the changes may come into force, but the Uber breach will only add to the urgency to do so, said cybersecurity and privacy lawyer Lyndsay Wasser of McMillan LLP.
“The number of high-profile breaches that have been happening is probably putting some pressure on the government to move this along.”
Even when the law is in place though, the Privacy Commissioner will have limited abilities to punish offenders with a maximum fine of $100,000 for not disclosing a breach, said Wasser.
That compares with fines equating to four per cent of worldwide turnover for multinational companies under EU laws set to come into force next year, she said.
Despite not being able to levy fines, the Privacy Commissioner can still launch an investigation as it did with the Equifax breach, but it has yet to do so, said spokeswoman Valerie Lawton by email.
For now, the agency is reaching out to its international counterparts to discuss the matter, and has asked Uber to provide a written breach report including details on how the breach happened and the impact on Canadians, she said.
In the Equifax case, the credit reporting service waited several months before revealing this past September that hackers had stolen the Social Security numbers of 145 million Americans.
Equifax provided specifics soon after about the number of Americans and Brits who were impacted, but only later disclosed that about 8,000 Canadians were also affected.
Kabilan said that with the growing prevalence of large-scale data theft, it’s becoming increasingly important for companies to prepare to respond to data theft as well as trying to prevent it.
“In today’s complex, interconnected world, it’s impossible to have 100 per cent security, so you also need to be prepared with what to do should something bad happen.”