Uber isn’t saying how many Canadians were affected by year-old hack

The company also admits it paid the hackers $100,000 to destroy the stolen information

Privacy advocates are raising alarms at Uber’s reluctance to disclose a year-old security breach that saw hackers steal the personal information of millions of customers around the world.

Uber admitted Monday that hackers stole names, email addresses and mobile phone numbers of 57 million riders but has still not said which customers had their data stolen including the number of Canadians affected.

Related: RIMS Canada Conference 2017: Full CITB coverage

The company specifies only that hackers took the driver’s license numbers of 600,000 Uber drivers in the U.S.

So far, there’s no evidence that the data taken has been misused, according to a Tuesday blog post by Ubers recently hired CEO, Dara Khosrowshahi. Part of the reason nothing malicious has happened is because Uber acknowledges paying the hackers $100,000 to destroy the stolen information.

Khosrowshahi criticized Uber’s handling of its data theft in his blog post.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi wrote. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

New York’s state Attorney General has confirmed it has opened an investigation into the breach, with state laws requiring companies to give notice if data is stolen.

The company also faces potentially higher than usual fines from British authorities because the firm did not promptly disclose the hack.

The Privacy Commissioner of Canada has not yet launched a formal investigation but is reaching out to its international counterparts to discuss the matter, said spokeswoman Valerie Lawton by email.

She said that Uber has told the commissioner that it is unable to confirm the number of Canadians affected, but that the agency has asked Uber to provide a written breach report including details on how the breach happened and the impact on Canadians.

Canada does not have laws requiring disclosure of data breaches, but NDP public safety critic Matthew Dube said in an email that the Uber incident shows the need for them.

Related: Popularity of sharing economy businesses requires movement on specialized coverage: IIC

“This type of hack is once again a reminder that the government needs to listen to the Privacy Commissioner and implement fines for companies who treat Canadians’ information this way. The law also needs to be changed to force companies to divulge these hacks and be transparent.”

The company still has not provided any details on the number of Canadians affected despite multiple requests, going against the importance of transparency in these matters, said Satyamoorthy Kabilan, director of national security at the Conference Board of Canada.

“That hiding of things, or that lack of communication over the breach, that is certainly a major concern for me.”

He said it’s important for companies to proactively disclose data breaches so that individuals can respond, so that security experts can learn from the breach, and to retain the trust of customers.

“What we’ve seen is organizations which are up front about what happened, they tend to retain the trust of users, whereas organizations that don’t can be hit very badly.”

He said that it’s impossible to ensure that data breaches don’t happen, so companies need to be prepared for when they do, including how to communicate with users.

“In today’s complex, interconnected world, it’s impossible to have 100% security, so you also need to be prepared with what to do should something bad happen.”

The Uber breach is only the latest disclosure of numerous major data breaches in recent years involving prominent companies.

Earlier this year, credit reporting service Equifax waited several months before revealing this past September that hackers had stolen the Social Security numbers of 145 million Americans.

Equifax also did not immediately disclose how many Canadians were affected even as it provided specifics about the number of Americans and Brits who were impacted.

It later said only about 8,000 Canadians were affected.

– With files from The Associated Press

Canadian Insurance Top Broker is on LinkedIn (linkedin.com/company/citopbroker) and Twitter (twitter.com/CITopBroker). Follow us for easy access to the top P&C news you need to know.

Copyright © 2017 Transcontinental Media G.P.
Transcontinental Media G.P.