Around 100,00 Kiwis had their names, emails and mobile numbers downloaded in a worldwide hack of Uber customers and drivers.
The hack, which Uber was aware of in late 2016, only came to the attention of the Office of the Privacy Commissioner in New Zealand, when Uber notified them of the breach on November 22, 2017.
The Office of the Privacy Commissioner says there's been no indication that trip location history, credit card numbers, bank account numbers, or dates of birth were in the files that were downloaded.
The one-year gap between the breach and notification shows why breach notification should be mandatory, says commissioner John Edwards.
"When personal information is lost, individuals need to take action to protect themselves. People cannot take the action they need to take if they don't know about the data breach in the first place," he said.
Around 57 million Uber users were hacked worldwide.
Uber is contacting all drivers with driver's license numbers in the downloaded files and providing all those drivers with free identity theft protection.
The Office of the Privacy Commissioner has not received any complaints from affected individuals to date.