About 100,000 Kiwis caught up in Uber hack attack

The Office of the Privacy Commissioner said for nearly all individuals, the downloaded files included name, email address and mobile phone number. Picture / Dean Purcell

About 100,000 New Zealand customers and drivers were caught up in a mass hack on ride-sharing company Uber; a security breach that was kept quiet for more than a year.

The Office of the Privacy Commissioner said for nearly all individuals, the downloaded files included name, email address and mobile phone number.

A spokeswoman said: "We also understand that there is no indication that trip location history, credit card numbers, bank account numbers, or dates of birth were in the files that were downloaded."

The Office of the Privacy Commissioner had not received any complaints from affected individuals.

"Uber has said that they are contacting all drivers with driver's licence numbers in the downloaded files and providing all those drivers with free identity theft protection," the spokeswoman said.

"Uber has reported that it has not seen evidence of fraud or misuse, but is monitoring the accounts that were downloaded."

Uber Technologies faces at least three probes in Europe following revelations hackers stole vast amounts of personal data about customers and drivers. Some 57 million drivers and customers were affected.

Uber formally informed the commissioner's office last month. The breach occurred late in 2016.

An Uber spokesman last month said the hackers obtained names, phone numbers and email addresses but not credit card or bank account information, nor location history.

Privacy Commissioner John Edwards at that time said while he was while he was pleased the local representative of Uber had notified his office of the issue, "the one-year gap between the breach and notification shows why breach notification should be mandatory".

"When personal information is lost, individuals need to take action to protect themselves. People cannot take the action they need to take if they don't know about the data breach in the first place," he said.

Uber last month ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a US$100,000 payment to the attackers.

At the time of the incident, Uber was negotiating with US regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken.

Instead, the company paid hackers to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.

A spokesman from Uber last month said the company was in the process of notifying various regulatory and government authorities.

While some European watchdogs' fining powers are minimal, most of the current 28 EU regulators have no powers to levy penalties at all. This will change in May 2018, when data-protection authorities across the bloc will get the same powers to fine companies, including US firms, as much as 4 per cent of annual sales.

"Deliberately concealing breaches from regulators and citizens could attract higher fines for companies," said James Dipple-Johnstone, deputy commissioner of the UK Information Commissioner's Office. He said the data breach raised "huge concerns around its data protection policies and ethics."

Uber's chief executive Dara Khosrowshahi said none of this should have happened.

"I will not make excuses for it. While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."

- Additional reporting: Washington Post.