The NDP is calling on Privacy Commissioner Daniel Therrien to open a formal investigation after the ride-hailing service Uber admitted earlier this week it covered up a hack that compromised the personal information of 57 million users and drivers last year.
A spokesperson for Therrien told Global News on Wednesday it asked Uber to explain how the hack happened and how many Canadians are affected but that the company told them it “was not able to confirm the number of impacted Canadian customers.”
The company said the names, email addresses and cellphone numbers of customers were accessed when two hackers broke into a third-party data storage service it was using, as well as driver’s license information from its drivers, but that trip location history, credit card numbers, bank account numbers and social security numbers did not appear to be among the stolen information.
While the privacy commissioner has asked Uber to provide a written breach report and said the office is working with international counterparts to figure out what happened, NDP public safety critic Matthew Dubé has asked Therrien to open a formal investigation into the hack.
“We believe that companies with this much access to personal data must be transparent and accountable to the government and be required to inform members of the public when they are victims of this kind of data theft,” Dubé said in a letter sent Wednesday evening to the privacy commissioner and shared with Global News.
“Accordingly, I ask that you study this issue and investigate the Uber case to shed light on the many questions and concerns it raises. I believe it is important for you to conduct an open and thorough investigation so that parliamentarians can take your recommendations into account in the legislative process.”
WATCH: Uber reveals it was the victim of a hack
Regulatory authorities in the United States, the United Kingdom, Australia and the Philippines have already announced they will investigate Uber for the breach.
Despite performing forensic investigations on the accounts affected, Uber has so far refused to say which users were affected or where they live, meaning it is not known at this point how many Canadian accounts were compromised.
The company says it is co-operating with authorities around the world but that it will not be releasing more information at this time.
“The privacy of our riders and drivers is of paramount importance for Uber,” said company spokesperson Jean-Christophe de la Rue. “That is why we are working closely with regulatory and government authorities globally, including the Federal Privacy Commissioner’s Office here in Canada. Until we complete that process, we aren’t in a position to get into more detail.”
In Canada, companies are not required to notify users when their data is breached and companies rarely face fines or penalties for allowing customer information to be compromised.
Privacy advocates have called on the government for years to implement what is known as “mandatory breach reporting,” which would require companies to alert consumers when their information is breached.
A similar issue emerged in September when the credit bureau Equifax admitted it had been hacked earlier in 2017 but did not immediately reveal how many Canadians were impacted.
In that case, it later emerged, roughly 8,000 Canadians had credit cards and social security numbers stolen by hackers because the company did not patch a security flaw in its networks that had been previously identified by American authorities.
That attack began in May, lasted until the middle of July, and was revealed publicly in September, at which point Therrien’s office announced it was opening an investigation into the case.
A total of 145.5 million Americans were affected by that breach, resulting in more than 50 class action lawsuits and several also being launched in Canada.