U.S.-based ride-sharing giant Uber will be informing all Canadian riders and drivers affected by the company’s 2016 privacy breach.
The decision comes in the wake of a Feb. 28th, 2018 Alberta privacy commissioner ruling that determined that the breach produced a “real risk of significant harm.”
Uber said that while the company disagrees with the privacy commissioner’s ruling, it will comply with the decision. Affected Uber users will be notified through email.
“When Uber’s new leadership learned of the incident from 2016, they initiated a thorough investigation, disclosed the circumstances to Canadian privacy commissioners, and committed full cooperation with their investigations,” said Uber, in an email statement to MobileSyrup. “Our outside forensic experts have seen no indication that credit card information, dates of birth, or location over time were accessed or downloaded.
Uber plans on requesting a judicial review of the Alberta privacy commissioner’s ruling, because the company disagrees with the suggestion that the incident created a real risk of significant harm.
“We have seen no evidence of fraud or misuse tied to this incident, and are monitoring the affected accounts,” Uber told MobileSyrup.
Uber publicly acknowledged in November 2017 that it had concealed a 2016 cyberattack that affected roughly 57 million U.S. passengers and drivers.
The company later confirmed that roughly 815,000 Canadian customers were also affected by the privacy breach.
Uber is currently under investigation by the Office of the Privacy Commissioner of Canada (OPC).
“Due to confidentiality provisions in the federal private sector privacy law, we don’t have further details to share at this time,” said the OPC, in an email to MobileSyrup.
Update 12/03/2018 (5:43pm ET): Two MobileSyrup editors have received emails from Uber regarding the 2016 cybersecurity breach.
The email explains the facts of the breach and reiterates that Uber’s “outside forensics experts have seen no indication that trip location history, dates of birth, or payment information were accessed or downloaded.”