News that Uber concealed for more than a year a hack that compromised the personal data of more than 57 million customers around the world is renewing calls from privacy advocates for the Canadian government to force companies to alert consumers when their privacy is breached.
Uber CEO Dara Khosrowshah announced in a blog post Tuesday evening that in October 2016 two hackers stole user data from 50,000 customers and 7,000 drivers that the company was storing on a third-party data storage application.
While he said the company is “notifying regulatory authorities” of the incident, he refused to specify how many customers and drivers from each affected country had their data compromised.
The company has also confirmed it then paid the hackers $100,000 to delete the data and stay silent.
“This type of hack is once again a reminder that the government needs to listen to the privacy commissioner and implement fines for companies who treat Canadians’ information this way,” said Matthew Dube, the NDP’s public safety critic. “The law also needs to be changed to force companies to divulge these hacks and be transparent.”
In Canada, companies are not required to notify users when their data is breached and companies rarely face fines or penalties for allowing customer information to be compromised.
Privacy advocates have called on the government for years to implement what is known as “mandatory breach reporting,” which would require companies to alert consumers when their information is breached.
Privacy Commissioner Daniel Therrien said earlier this month before a Senate committee that unless there are severe consequences for companies that do not protect user information, few will take their responsibility for protecting consumer data as seriously as they should.
“The fact there are no monetary consequences for them other than the loss of clients means it’s not taken seriously enough,” Therrien said. “If they were vulnerable to lawsuits and substantial fines, then in my opinion that would really focus their minds and make sure that corporate directors would pay close attention to this very widespread phenomenon of hacking, and make sure they were covered legally.”
A spokesperson for Therrien told Global News the office has asked Uber to explain what happened but has not opened a formal investigation.
“I can also tell you that we are reaching out to our international counterparts to discuss the matter,” said Valerie Lawton, spokesperson for the office. “Uber has advised us it is not able to confirm the number of impacted Canadian customers. We have asked Uber to provide us with a written breach report, in which we would expect them to provide details about how the breach happened and about the impact on Canadians.”
WATCH: Uber concealed huge data breach that affected 57 million users
Uber says the data stolen included the names and drivers’ licenses of 600,000 drivers in the United States along with “some personal information” of the users around the world.
“This information included names, email addresses and mobile phone numbers,” the company said, and noted the outside forensics experts it had hired to assess the breach had not found indications that trip location history, credit card numbers, bank account numbers, social security numbers or dates of birth were among the data stolen by the hackers.
It also said that while it was monitoring individual accounts affected by the hack, it had not directly contacted the owners of those accounts and that it does not believe users need to do anything to secure their information.
“We do not believe any individual rider needs to take any action,” said Uber. “We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection.”
Global News asked Uber Canada for more clarity on how many Canadians are affected by the hack.
The company responded by copying and pasting the statement issued by its CEO into an email.
Canada is far from alone when it comes to requiring companies to alert consumers when their personal information is compromised.
“There are only a handful of states and nations that actually require organizations to publicly disclose breaches,” said Nadeem Douba, managing partner and hacker at Red Canari, an Ottawa-based information security startup.
“Sure, Uber was a bad citizen in this case and they absolutely should have notified user. Perhaps they felt that users were protected because they received guarantees that the breach data was not going to be released. However, there are no guarantees in life – especially in hacking commerce.”
Douba, who specializes in testing cyber infrastructure for vulnerabilities, says the developers and architects working at technology firms are rarely trained to put security at the forefront of concerns when developing new platforms.
“This means security often takes a back seat,” he said.
Douba noted he does not think consumers should panic about the breach and that there’s no indication so far that continuing to use Uber would put their security at risk in the future, or that there will be a mass exodus of users from the app.
But that does not mean Uber’s reputation will emerge unscathed.
“The way this breach was handled will definitely impact the public’s perception of trust with Uber in the short term,” he said. “Will it impact their bottom line? Who knows – most likely not.”