New Zealanders' names, phone numbers and email addresses were among those stolen in a mass hack on ride-sharing company Uber; a security breach that was kept quiet for over a year.
Uber Technologies faces at least three probes in Europee following revelations hackers stole vast amounts of personal data about customers and drivers. Some 57 million drivers and customers were affected.
An Uber spokesman confirmed today that New Zealander Uber drivers and "riders" were among those caught up in the hack.
The hackers obtained names, phone numbers and email addresses but not credit card or bank account information, nor location history, the spokesman said.
He did not know how many New Zealanders were affected.
Their Uber accounts were being monitored, however, affected customers had not been informed.
"While we have not seen any evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection."
Privacy Commissioner John Edwards said while he was while he was pleased the local representative of Uber had notified his office of the issue, "the one-year gap between the breach and notification shows why breach notification should be mandatory".
"When personal information is lost, individuals need to take action to protect themselves. People cannot take the action they need to take if they don't know about the data breach in the first place," he said.
The commissioner was monitoring the situation and may investigate individual complaints by people whose information was in breach.
Uber formally informed the commissioner's office yesterday evening. The breach occurred late in 2016.
This week, Uber ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a US$100,000 payment to the attackers.
Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber users around the world, the company told Bloomberg on Tuesday.
At the time of the incident, Uber was negotiating with US regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.
A spokesman from Uber said the company was in the process of notifying various regulatory and government authorities.
The Netherlands regulator confirmed that Uber, which has its European base in the nation, has now informed it of the data breach. "As we do with every data breach report, we will look into this report very thoroughly," its spokeswoman Frederique Hermie said in an email.
While some European watchdogs' fining powers are minimal, most of the current 28 EU regulators have no powers to levy penalties at all. This will change in May 2018, when data-protection authorities across the bloc will get the same powers to fine companies, including US firms, as much as 4 per cent of annual sales.
"Deliberately concealing breaches from regulators and citizens could attract higher fines for companies," James Dipple-Johnstone, deputy commissioner of the UK Information Commissioner's Office, said in an emailed statement. He said the data breach raised "huge concerns around its data protection policies and ethics."
Uber's chief executive Dara Khosrowshahi said none of this should have happened.
"I will not make excuses for it. While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."
additional reporting: Washington Post