The country’s Privacy Commissioner is opening a formal investigation into a 2016 Uber breach that compromised the personal information of tens of millions of the ride-hailing service’s users.
Similar investigations have been launched by authorities in the U.S., U.K., and Australia, as well as numerous U.S. states, while a class-action lawsuit has also been filed in Alberta.
Uber revealed last month that information on more than 57 million of the service’s riders and drivers was stolen in 2016, though the company says it has no evidence the data was misused.
The company won’t say how many Canadians users had data stolen. The U.K. government says it learned that 2.7 million U.K. users were affected.
Uber’s former chief security officer Joe Sullivan managed to keep the breach a secret for more than a year, until it emerged last month that had paid the thieves $100,000 to destroy the information.
Reuters reported that the payment was disguised as a bug bounty payout — money often paid to security researchers who identify and report flaws or bugs found in a company’s systems.
“The privacy of riders and drivers is of paramount importance at Uber and we will continue to work with the Privacy Commissioner on this matter,” said Uber Canada spokesperson Xavier Van Chau in a statement.
Another spokesperson, Susie Heath, previously told CBC News that, until the company is finished working with authorities, “we aren’t in a position to get into more detail.”
In his annual report to Parliament this past fall, Privacy Commissioner Daniel Therrien said his office was looking to be more proactive in its enforcement of the country’s privacy protections — in part, by launching more of its own investigations.
Under current legislation, the privacy commissioner cannot issue binding orders or fines against companies that misuse personal information or ignore its recommendations. It can, however, take non-compliant companies to Canada’s Federal Court, where a judge can order the company to comply.
Tobi Cohen, a spokesperson for the privacy commissioner’s office, declined to provide further information, citing confidentiality provisions of Canada’s privacy legislation.