Canada’s privacy commissioner opens formal investigation into the 2016 Uber breach, similar to others launched by other countries

Supported By:

Net Patrol International Inc.  Data Investigation and Forensic Services
Bankruptcy and Insolvency Trustees

The country’s privacy commissioner is opening a formal investigation into a 2016 Uber breach that compromised the personal information of tens of millions of the ride-hailing service’s users.

Similar investigations have been launched by authorities in the U.S., U.K. and Australia, as well as numerous U.S. states, while a class-action lawsuit has also been filed in Alberta.

Uber revealed last month that information on more than 57 million of the service’s riders and drivers was stolen in 2016, though the company says it has no evidence the data was misused.

The company won’t say how many Canadians users had data stolen. The U.K. government says it learned that 2.7 million U.K. users were affected.

Uber’s former chief security officer Joe Sullivan managed to keep the breach a secret for more than a year, until it emerged last month that had paid the thieves $100,000 to destroy the information.

Reuters reported that the payment was made through a bug bounty service — where money is paid to security researchers who identify and report flaws or bugs found in a company’s systems — in an attempt to disguise the payment as a typical reward.

“The privacy of riders and drivers is of paramount importance at Uber and we will continue to work with the privacy commissioner on this matter,” said Uber Canada spokesperson Xavier Van Chau in a statement.

Another spokesperson, Susie Heath, previously told CBC News that, until the company is finished working with authorities, “we aren’t in a position to get into more detail.”

In his annual report to Parliament this past fall, Privacy Commissioner Daniel Therrien said his office was looking to be more proactive in its enforcement of the country’s privacy protections — in part, by launching more of its own investigations.

Under current legislation, the privacy commissioner cannot issue binding orders or fines against companies that misuse personal information or ignore its recommendations. It can, however, take non-compliant companies to Canada’s Federal Court, where a judge can order the company to comply.

Read the full story at CBC News.

This story was summarized by Canadian Fraud News Inc.