Uber must explain extent of hack, council says
Customers and drivers have ‘right to know’ if their data was affected by 2016 breach
The city will demand Uber reveal how many Toronto users were affected by a security breach that saw hackers access personal information of 57 million people worldwide in October 2016.
Council unanimously approved the member motion Friday, directing the city manager to not only demand information from Uber, but also to ask how and when the company will inform impacted drivers and riders in Toronto.
To date, the California-based ridesharing company has ignored requests from Canadian authorities to reveal how many Canadians were affected and where, a staff report said.
“Toronto’s Uber customers and drivers have a right to know if their personal data has been released as a result of this breach,” Councillor Janet Davis, who put forward the motion, told the Star.
“The city has given them incredible access to a huge market here in Toronto. I am hoping they recognize the value of our licensing agreement and abide by our request.”
Under Toronto’s licensing agreement with Uber established in May 2016, five months before the breach occurred, Uber is required to protect the personal data it collects from users, said the report. The agreement also requires Uber to be able to produce “all data or records” to the city or police for investigations or audits within 30 days of the request.
If Uber breaches the city’s licensing agreement it could face fines or suspensions, Davis said.
Uber officials said the company plans to work with the city.
“The privacy of our riders and drivers is of paramount importance for Uber,” spokesperson Susi Heath said in an email to the Star. “That is why we are working closely with regulatory and government authorities globally, including the Federal Privacy Commissioner’s Office here in Canada. We look forward to working with city officials on this matter.”
On Nov. 21, 2017, Uber CEO Dara Khosrowshahi said in a statement that two people had accessed user data stored on a third-party cloudbased service in late 2016.
Uber kept the data breach a secret for more than year after paying $100,000 (U.S.) in ransom, reported the New York Times. Hackers had downloaded the names and driver’s licence numbers of about 600,000 drivers in the U.S., plus “some personal information” of 57 million users from around the world, Khosrowshahi said in the statement. That information included names, email addresses and cellphone numbers.
“None of this should have happened and I will not make excuses for it,” Khosrowshahi said. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”