When news broke that controversial car-hailing service, Uber, admitted to a breach of company security that amounted to stolen customer data, nobody was seriously surprised. Even when it came to light that Uber reportedly paid the hackers $100,000 to destroy the stolen information, I wasn’t surprised. But by far the most interesting piece of news to come from this Uber data breach debacle is that the Privacy Commissioner of Canada is opening an investigation into the matter.
The golden days of Uber now seem to be over. The attempts at charging into communities and disregarding policy and legal warnings from local politicians now seem to be over. With the imminent arrival of Lyft in Toronto, the open field of competition is growing smaller. While all of this is great from of the perspective of fair business practices, what does this privacy investigation say about fraud in Canada?
For one thing, we’re not alone. The province of Alberta has launched a class action lawsuit against the company, similar to investigations that have been opened in the U.K, Australia and U.S. With these investigations that have been opened, lawmakers and political circles are saying enough is enough.
Those of us in the fraud litigation communities are well aware of how hard it can be to get any sort of tangible response and action from government services. These investigations are the perfect step in making Uber understand that the days of forcing themselves into communities without the proper infrastructure are over.
Now that this information is out in the open, I suspect we’ll start to see more stringent rules and regulations put in place for future proofing similar companies that come along. Specifically, I think investigations like these will curb the “apologize first, fix it later,” approach that we’ve seen recently with data breaches like Equifax, who were fully aware of the security flaws in their systems and did nothing to fix it until the inevitable happened.
“The privacy of riders and drivers is of paramount importance at Uber and we will continue to work with the privacy commissioner on this matter,” said Uber Canada spokesperson Xavier Van Chau in a statement.
Regarding the $100,000 paid, Reuters reported that the payment was made through a bug bounty service — where money is paid to security researchers who identify and report flaws or bugs found in a company’s systems — in an attempt to disguise the payment as a typical reward.
The fact that these investigations are making headlines around the country is an important reminder for consumers to remain diligent when it comes to protecting yourself; apathy towards data breaches is a giant detriment in trying to lower the rate in which these events are happening. And while the current legislation doesn’t allow the privacy commissioner to issue binding orders or fines against companies that misuse personal information or ignore its recommendations, It can take non-compliant companies to Canada’s Federal Court, where a judge can order the company to comply.
Now it’s just a matter of voting with your wallet and paying attention to the on-going investigations in the hopes that they provided some positive solutions to these systemic issues.
Read our latest CFN original on the initial Uber hack, here.