NPC won’t rule out breach of Filipinos’ data in Uber hacking

Font Size

By Patrizia Paola C. Marcelo

THE National Privacy Commission said it “cannot rule out” that data of Filipinos were compromised with the data breach of ride-sharing company Uber, after Uber Philippines (Uber Systems, Inc.) failed to provide the regulator with “vital” information.

Privacy Commissioner Raymund E. Liboro summoned Uber Philippines to a meeting to explain the breach reported by Uber CEO Dara Khosrowshahi.

Mr. Khosrowshahi, newly installed Uber CEO, had disclosed earlier this week that in late 2016, Uber discovered that hackers had inappropriately accessed user data, stored on a third-party cloud-based service the company uses, including personal information of 57 million Uber users around the world. The company also confirmed, as reported by Bloomberg, that it paid $100,000 to the hackers responsible, to delete the data and be quiet about the breach.

“The National Privacy Commission summoned Uber to a meeting on Thursday, November 23, 5:30 p.m., to discuss the self-reported breach that was admitted by the CEO of the transport network vehicle service company. Uber came to the meeting represented by its Data Protection Officer, Atty. Yves Gonzalez, accompanied by external counsel,” NPC said in a statement.

“Unfortunately, Uber failed to provide the Commission with vital information at the meeting, especially on whether Filipino data are involved, citing limited information from their US Office. We cannot rule out at this time that any Filipino data was compromised.”

NPC said it has set a 48-hour deadline for Uber Philippines to give information about the breach.

“Uber committed to respond in detail to the Commission’s queries about the nature of the breach, what data was involved, and what measures were applied to address the breach, as soon as confirmed data becomes available,” NPC said.

The NPC said it has reminded Uber that under the Data Privacy Act of 2012, the concealment of a data breach involving sensitive personal information or information that can be used to enable identity fraud is a punishable criminal offense.

The NPC added that it has tapped its network of privacy regulators, particularly the Federal Trade Commission of the US, to share information on this incident.

According to news reports, a spokesperson for the US FTC said the commission was “closely evaluating the serious issues raised” by the breach and Uber’s failure to disclose it.

Regulators in the United Kingdom and Australia are also conducting their own inquiries.