Uber admonished for covering up huge data breach

Published: November 25, 2017

Updated: July 24, 2018

Author: Luke Jones



Security experts are reacting to Uber’s recent data breach and are pushing for wider protection regulations in Canada, specifically creating laws to prevent companies from trying to cover up such attacks.

On Tuesday, Uber admitted its system had been hacked and million of customers’ email addresses, names, and mobile numbers had been stolen. The attack happened nearly a year ago and Uber attempted to cover it up. The company paid the attackers $100,000 to destroy the stolen data.

“That hiding of things, or that lack of communication over the breach, that is certainly a major concern for me,” said Satyamoorthy Kabilan, director of national security at the Conference Board of Canada.

Kabilan argues it is essential that companies report these breaches when they happen to victims know so trust can be maintained, and security experts can work on solutions.

“What we’ve seen is organizations which are up front about what happened, they tend to retain the trust of users, whereas organizations that don’t can be hit very badly.”

While admitting the breach, Uber has remained vague on the details, only saying the attackers took 600,000 Uber drivers license numbers in the U.S. alone. The company has 57 million users around the world and has not detailed per-country data. Uber as around two million users in Canada.

 “We are working closely with regulatory and government authorities globally, including the Federal Privacy Commissioner’s Office here in Canada. Until we complete that process we aren’t in a position to get into more detail,” said Uber Canada spokesman Jean-Christophe de le Rue.

Regulators in other countries have shown concern and sprung into action. In the United Kingdom, authorities said Uber’s fines could be bigger than normal because the company decided to cover up the breach.

“This type of hack is once again a reminder that the government needs to listen to the Privacy Commissioner and implement fines for companies who treat Canadians’ information this way. The law also needs to be changed to force companies to divulge these hacks and be transparent.”