CALGARY – Uber Canada said late Monday that 815,000 Canadian riders and drivers may have been affected as part of its worldwide data breach announced in November.
The disclosure came the same day the federal privacy commissioner said it had opened a formal investigation into the data breach, which saw the theft of information from some 57 million Uber accounts globally in October, 2016.
Uber said the information taken includes names, email address, and mobile phone numbers from the accounts, but that its investigation has not identified any location history, credit card numbers, bank account numbers, or dates of birth were downloaded.
Uber Canada spokesman Jean-Christophe de le Rue said the company will co-operate with the commissioner’s investigation.
“The privacy of riders and drivers is of paramount importance at Uber and we will continue to work with the privacy commissioner on this matter.”
News of the breach prompted authorities in the U.S. and U.K. to launch formal investigations immediately, while the commissioner in Canada initially asked that Uber file a report explaining how the breach happened and its impact on Canadians.
The privacy commissioner gave little detail in announcing the now formal investigation, noting confidentiality provisions under the Personal Information Protection and Electronic Documents Act.
The commissioner’s investigation was prompted by a letter from a parliamentarian, said spokesman Tobi Cohen.
Details of the number of Canadians affected also comes after Toronto city council voted last week to demand information from the company on the breach, based on requirements in their license agreement with the city.
The company is also facing lawsuits, including one from Washington State, for failing to disclose the breach despite laws requiring it to do so.
Federally, Canada doesn’t have laws requiring companies disclose data breaches, though Alberta does have requirements in place. The province said it had also launched an investigation.
Changes to federal privacy laws are under way that would make it a requirement, with public consultations closed in October, but under the proposed revision the privacy commissioner would be limited to issuing a maximum $100,000 fine for not disclosing a breach.
Attention on data breaches have increased after numerous high-profile incidents including the Equifax breach earlier this year that included data on 145 million Americans and about 19,000 Canadians.