(416) 916-1387
Appellate Litigation

On Tuesday evening, Uber’s CEO announced that in late 2016 the company learned hackers gained access to the personal information of over 57 million users worldwide.

While the full extent of Uber’s data breach is still being uncovered, the personal information accessed in the data breach includes names, email addresses, and phone numbers, and may also include location history, credit card numbers and even social insurance numbers.[1]

It has also been reported that in response to the data breach, Uber paid a USD$100,000 ransom. It is alleged that the ransom deal was arranged by the company’s chief security officer and approved by the former chief executive.[2] An initial report from the New York Times found that Uber went to great lengths to cover-up the data breach, including having the hackers sign nondisclosure agreements, and misrepresenting the use of the funds paid to the hackers.[3]

Writing on the Wall

As the full extent of Uber’s data breach comes to light, questions arise as to whether Uber’s previous run-ins with the United States’ Federal Trade Commission (the “FTC”) foreshadowed this latest breach.

In August 2017, Uber settled an investigation brought by the FTC regarding a data breach from May 2014, which exposed more than 100,000 names and driver’s license numbers of Uber’s drivers.[4]

In its original complaint, the FTC alleged that Uber engaged in a number of practices that failed to provide reasonable security to prevent unauthorized access to consumers’ personal information stored in its databases.[5] As a result of Uber’s failure to provide reasonable security measures, the FTC alleged that Uber’s databases were hacked.[6]

Uber eventually settled the FTC investigation by agreeing to improve its privacy and security practices, implementing a comprehensive privacy program, and agreeing to external audits monitoring its compliance for the next 20 years.[7] Uber was not fined by the FTC in connection with this complaint and investigation.

Uber’s Liability

As of today, regulators in the United Kingdom, the United States, and Italy have said they are opening investigations into Uber’s latest data breach. A class action lawsuit has also been commenced in California on behalf of drivers whose information was compromised, and the FTC said it is opening a new investigation into Uber.[8]

The Office of the Privacy Commissioner of Canada has contacted Uber to obtain more information regarding the breach and to confirm the impact on Canadian consumers.[9] It is not clear whether a formal investigation will be launched by the Commissioner at this time.

Given the extent of this most recent data breach, and the millions of users affected, Uber will face increasing liability from regulators worldwide, as well as face a multitude of class action lawsuits in jurisdictions where consumers’ information has been breached.

Uber’s data breach and the immediate ramifications the company is suffering underlay the requirement that business – big and small – get serious about cybersecurity. Retaining experienced counsel who can advise on potential security risks, data breach response measures, and consumer notification requirements, is crucial to protecting your business.

By: David Cassin


[1] 2016 Data Security Incident, <https://www.uber.com/newsroom/2016-data-incident>.

[2] <https://www.nytimes.com/2017/11/21/technology/uber-hack.html>.

[3] Ibid.

[4] Federal Trade Commission Press Release, <https://www.ftc.gov/news-events/press-releases/2017/08/uber-settles-ftc-allegations-it-made-deceptive-privacy-data>.

[5] Federal Trade Commission Complaint,<https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_complaint.pdf> at 4.

[6] Ibid at 5.

[7] Federal Trade Commission Press Release, <https://www.ftc.gov/news-events/press-releases/2017/08/uber-settles-ftc-allegations-it-made-deceptive-privacy-data>.

[8] <https://www.ft.com/content/20d98370-cf68-11e7-9dbb-291a884dd8c6>.

[9] <http://www.cbc.ca/news/business/uber-breach-canadians-1.4414354>.