New Zealand information was stolen in the cyberattack on Uber that compromised data from 57 million riders and drivers. This information included names, email addresses and mobile phone numbers.
It has been reported that Uber paid hackers $100,000 to keep that information behind closed doors.
In a company blog post, Dara Khosrowshahi, Uber’s new CEO, said the incident should never have happened or been covered up, and that two employees have been fired as a result.
Uber spokeswoman Nicky Preston confirmed that “no critical info was downloaded” or had been released, like drivers’ licences or credit cards. However, the names, phone numbers and email addresses of New Zealand users had been accessed by the hackers.”
“We’re not releasing numbers and to be completely honest I don’t know the scale,” said Preston.
“While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection”
Privacy Commissioner John Edwards said: “We are disappointed that although this breach occurred in October 2016, we are only now hearing the details.
“This kind of incident underscores the importance and urgency of mandatory breach reporting laws, which the Government has been considering since 2011.”
At present, criminal fines for privacy breaches are $2000 for an individual and $10,000 for a corporation, and the bulk of enforcement happens through the Human Rights Review Tribunal.
Edwards also recommended raising damages to $100,000 for an individual and up to $1 million for a corporation.