Uber says it will inform all Canadians whose personal data may have been compromised in a 2016 breach after Alberta’s privacy commissioner ruled it must do so.
Company spokesman Jean-Christophe de le Rue says while the company disagrees with the ruling, it will comply.
Uber will email affected riders and drivers in the country over the next few days about the Oct. 2016 breach that saw the theft of information from some 57 million accounts globally.
The company previously disclosed that 815,000 Canadian riders and drivers may have been affected.
The stolen information included names, email addresses and mobile numbers. The company said an internal investigation failed to identify any location history, credit card numbers, bank account numbers or birth dates were downloaded.
De Le Rue says that when Uber learned about the breach, it conducted a thorough investigation and notified Canadian privacy commissioners, fully co-operating with their investigations.
He says the company has seen no evidence of fraud or misuse tied to the incident and continues to monitor the affected accounts.
Uber plans to ask for a judicial review of the ruling because, in its view, the breach did not create a real risk of significant harm.
The office of the information and privacy commissioner of Alberta did not immediately respond to a request for comment.
In 2010, the province of Alberta became the first Canadian jurisdiction to require private-sector organizations, like Uber, to notify consumers of such breaches when “a real risk of significant harm” exists.
The Canadian Press