Uber admits some PH users’ data exposed
The personal information of a yet undetermined number of Filipino Uber users have been compromised in a breach late last year, a hack that the company’s US office deliberately hid from the public for more than a year.
This is according to the National Privacy Commission (NPC), which said that Uber Philippines wrote to the agency on Monday to confirm that data on Filipino users were among those compromised in the hacking in October last year.
It was uncertain how Uber could confirm this while it had claimed it could not give the extent of the impact of the data breach.
Regardless of whether the data were used for fraud and other purposes or not, NPC said concealing the breach “bears serious consequences” under the law.
“In that letter, Uber confirmed to us that personal information of Filipinos were exposed in the data breach,” Privacy Commissioner Raymund Liboro said in the statement.
“Unfortunately, Uber failed to provide the details that we expect from personal information controllers about data breach notifications, such as the actual number of Filipinos affected, and the scope of their exposure.”
It has been more than a week since Uber Technologies Inc. admitted that it was hacked in October 2016, with “some personal information of 57 million Uber users” all over the world compromised. How this impacted Filipino users remains uncertain, even to the NPC.
While the ridesharing company assured the public that necessary actions had been made, Uber still purposely hid the information from the public until months into the term of its newest chief executive officer. Uber Philippines, for its part, claimed it did not have prior knowledge about the breach.
“While Uber has repeatedly asserted that there has been no evidence of fraud or misuse tied to the incident, the concealment of a data breach bears serious consequences under the Data Privacy Act of 2012,” Liboro said.
Under the Data Privacy Act of 2012, concealing security breaches that involve sensitive personal information face a penalty that could reach up to five years of imprisonment and a fine of about P500,000.
The necessary punishments, according to the law, would be slapped on people who—after learning about the breach—decided to conceal the fact, whether done intentionally or by omission.
“If so qualified, those responsible for the concealment of the breach and for the exfiltration of the data may face serious civil and criminal liability,” Liboro said.
NPC is cooperating with its counterpart authorities in Australia and the United States on this matter, he added.
Uber representatives deferred from commenting on the issue, even when asked about the number of its active Uber users to-date.
In an information page under the “Accounts and Payment” option menu in the help section of the app, Uber said “we do not believe an individual rider needs to take any action,” Uber said in its app.
According to the blog post made by Uber CEO Dara Khosrowshahi, the hackers were able to download names,
e-mail addresses and mobile phone numbers of users across the globe and the driver’s license numbers of drivers in the United States. Other pieces of data were not breached,
The company said no other piece of data was stolen. Later, news organizations reported that Uber paid hackers $100,000 to destroy the stolen data.
Liboro said Uber had claimed there was “no indication” that any information on Filipino drivers’ licenses were downloaded.
