Uber will inform all Canadians whose personal data may have been compromised in a 2016 breach after Alberta’s privacy commissioner ruled it must notify impacted drivers and riders in the province.
In a decision dated Feb. 28, the commissioner ruled that there is a real risk of significant harm to the affected individuals as a result of an Oct. 2016 breach that saw the theft of information — including names, email addresses and mobile numbers — from some 57 million accounts globally.
The personal information of drivers, such as their driver’s license numbers, could be used for identity theft or fraud, wrote Jill Clayton, information and privacy commissioner.
“These are significant harms,” she wrote.
The organization must notify affected drivers and riders whose information was collected in Alberta, she ruled, and notify the commissioner in writing that it has done so within 10 days of the decision.
It has already informed all drivers globally, including the 23 that appeared to have Canadian connections, according to the ruling. But affected riders had not yet been notified.
While Uber disagrees with the ruling, it will comply, said spokesman Jean-Christophe de le Rue.
Uber will email affected riders and drivers in not just Alberta, but across the country over the next few days. It previously disclosed that 815,000 Canadian riders and drivers may have been affected.
The stolen information included names, email addresses and mobile numbers. An internal investigation failed to identify that any location history, credit card numbers, bank account numbers or birth dates were downloaded, the company said.
When Uber discovered the breach, De Le Rue said, it conducted a thorough investigation and notified Canadian privacy commissioners, fully co-operating with their investigations.
The company has seen no evidence of fraud or misuse tied to the incident and continues to monitor the affected accounts, he said.
Uber plans to ask for a judicial review of the ruling because, in its view, the breach did not create a real risk of significant harm.
The privacy commissioner’s office did not immediately respond to a request for comment.
In 2010, the province of Alberta became the first Canadian jurisdiction to require private-sector organizations, like Uber, to notify consumers of such breaches when “a real risk of significant harm” exists.