Uber PH checks data if Filipinos included in hacked accounts

This March 1, 2017, file photo shows an exterior view of the headquarters of Uber in San Francisco. AP File Photo

Uber Philippines had no prior knowledge of the breach that compromised the personal information of millions of users around the globe, but could neither confirm nor deny that any Filipino data was also hacked.

READ: Uber admits data from 57M riders, drivers stolen by hackers

This is according to Raymund Liboro, head of the National Privacy Commission (NPC), who called the local arm of Uber Technologies Inc. for a meeting on Thursday. However, the meeting failed to shed any conclusive light on the issue.

“Based on what happened, they said they didn’t have information. That’s what they said. For now, they cannot rule out that any Filipino data was not compromised,” Liboro told the Inquirer in a phone interview in a mix of English and Filipino.

The ride sharing company, which helped change the face of transportation in some urban centers in the country, has been given until Saturday afternoon in order to verify whether or not Filipinos were also affected by the breach, he said.

On top of this, NPC also reached out on Friday to the US Federal Trade Commission, which is a bipartisan federal agency tasked to protect consumers while promoting competition, in order to see “if they have confirmatory data” about the issue.

This develops days after Uber’s chief executive officer Dara Khosrowshahi disclosed in a blog post that the company had hidden the fact that it was hacked in October last year,  with “some personal information of 57 million Uber users” compromised.

The hackers, however, were able to download names, e-mail addresses and mobile phone numbers of users across the globe and the driver’s license numbers of drivers in the United States.

The company assured that no other piece of data was stolen, noting that the necessary measures have been taken. Later, news organizations reported that Uber paid hackers $100,000 in order to destroy the stolen data.

“The question here is whether or not it’s a reportable breach. We think that it’s a reportable breach. It’s not enough to say that you were breached. You have to provide the vital information,” Liboro said.

In a statement on Friday, NPC said that “Uber failed to provide the Commission with vital information [during] the meeting, especially on whether Filipino data are involved, citing limited information from their US Office.”

Under the Data Privacy Act of 2012, concealing security breaches that involve sensitive personal information face a penalty that could reach up to five years of imprisonment and a fine of less than P500,000.

The necessary punishments, according to the law, would be slapped on people who — after learning about the breach — decided to conceal the fact, regardless if this was done intentionally or by omission.

A circular released in December last year was even more specific about the responsibility of the parties involved to report. In NPC Circular 16-03, the commission should have been notified within 72 hours “upon knowledge or the reasonable belief” that a breach might have occurred.

They don’t even have to be “absolutely certain about the scope of the breach” in order to report to NPC, the circular read.

A top official of global leader in security software Trend Micro Inc. criticized how the ridesharing company handled the situation, noting that it “took the worst path possible” since it not only hid the fact but tied to sweep the issue under the rug by bribing the hackers.

“Let me be clear. Paying cybercriminals is unacceptable. Failing to disclose a breach that impacts millions is intolerable. There is no way to prove that the cybercriminals deleted the data after receiving payment. That’s not how the digital world works,” said Mark Nunnikhoven, company vice president for cloud research in a blog post. /jpv

Read more...