That Uber breach? Privacy commissioner is now investigating

Personal information for more than 57 million of Uber's riders and drivers was stolen in 2016, and Uber still won't say how many Canadians were affected.

Company still won't say how many Canadians users had data stolen in 2016

The company 'will continue to work with the Privacy Commissioner on this matter,' said an Uber Canada spokesperson to CBC News. (Gian-Paolo Mendoza/CBC)

The country's privacy commissioner is opening a formal investigation into a 2016 Uber breach that compromised the personal information of tens of millions of the ride-hailing service's users.

Similar investigations have been launched by authorities in the U.S., U.K. and Australia, as well as numerous U.S. states, while a class-action lawsuit has also been filed in Alberta.   

Uber revealed last month that information on more than 57 million of the service's riders and drivers was stolen in 2016, though the company says it has no evidence the data was misused.

The company won't say how many Canadians users had data stolen. The U.K. government says it learned that 2.7 million U.K. users were affected.

Uber's former chief security officer Joe Sullivan managed to keep the breach a secret for more than a year, until it emerged last month that had paid the thieves $100,000 to destroy the information. 

Reuters reported that the payment was made through a bug bounty service — where money is paid to security researchers who identify and report flaws or bugs found in a company's systems — in an attempt to disguise the payment as a typical reward.

"The privacy of riders and drivers is of paramount importance at Uber and we will continue to work with the privacy commissioner on this matter," said Uber Canada spokesperson Xavier Van Chau in a statement.

Another spokesperson, Susie Heath, previously told CBC News that, until the company is finished working with authorities, "we aren't in a position to get into more detail."

In his annual report to Parliament this past fall, Privacy Commissioner Daniel Therrien said his office was looking to be more proactive in its enforcement of the country's privacy protections — in part, by launching more of its own investigations.

Under current legislation, the privacy commissioner cannot issue binding orders or fines against companies that misuse personal information or ignore its recommendations. It can, however, take non-compliant companies to Canada's Federal Court, where a judge can order the company to comply.

"We received a letter from a parliamentarian, which prompted our office to open a commissioner-initiated complaint," said Tobi Cohen, a spokeswoman for the privacy commissioner's office. "We have not received a written breach report from Uber, nor have we been advised of the impact on Canadians. We've asked Uber to provide us with that information as soon as possible. Discussions with Uber are ongoing."

She declined to provide further information, citing confidentiality provisions of Canada's privacy legislation.

About the Author

Matthew Braga

Senior Technology Reporter

Matthew Braga is the senior technology reporter for CBC News, where he covers stories about how data is collected, used, and shared. If you have a tip, you can contact this reporter securely using Signal or WhatsApp at +1 416 316 4872, or via email at matthew.braga@cbc.ca. For particularly sensitive messages or documents, consider using Secure Drop, an anonymous, confidential system for sharing encrypted information with CBC News.