Privacy Commissioner Daniel Therrien has opened a formal investigation into the hack of Uber announced last month that compromised the personal information of roughly 57 million customers around the world.
Uber CEO Dara Khosrowshaw announced in a blog post on Nov. 21 that two hackers had stolen user data more than a year ago from drivers and customers that the company was storing on a third-party data storage application.
He did not disclose the number of customers or drivers in each country that were affected by the hack but later confirmed the company paid the hackers $100,000 to keep the breach secret.
READ MORE: Uber reveals 2016 hack, reports say it paid $100,000 to cover up
As Global News reported last month, news of the hack — and the fact that Uber had kept it secret for so long — quickly prompted calls for Canada to introduce tighter privacy regulations that would require companies to notify users when their private data is compromised.
Currently in Canada, companies are not required to notify users when their data is breached and companies rarely face fines or penalties for allowing customer information to be compromised.
READ MORE: Uber hack renews call for law forcing companies to alert consumers to breaches
A spokesperson for Therrien had said last month the office had asked Uber to tell them how many Canadians were affected but that the company had indicated it could not do so.
In an email to Global News, another spokesperson for the privacy commissioner indicated they still cannot say how many Canadians had their private information accessed by the hackers.
READ MORE: Uber hack: NDP requests formal investigation into breach
Uber Canada is still not saying how many Canadian accounts were involved.
“The privacy of riders and drivers is of paramount importance at Uber and we will continue to work with the Privacy Commissioner on this matter,” said Jean-Christophe de la Rue, spokesperson for the company in Canada.
Uber has said the data stolen included the names and drivers’ licenses of 600,000 drivers in the United States along with “some personal information” of the users around the world.
That information includes names, email addresses and mobile phone numbers but the company said it did not appear to include trip location history, credit card numbers, bank account numbers, social security numbers or dates of birth.