THE National Privacy Commission (NPC) summoned Uber Philippines to fully explain their data processing operations after a global data breach affected users in the country.
The agency is also investigating Uber’s procedures on preventing future data breaches, NPC commissioner Raymund E. Liboro said in a statement.
“We have summoned them to appear before the Commission to further explain their data processing operations particularly the organizational, technical, and physical security measures Uber Philippines is implementing to protect Filipino drivers and riders,” he added.
In late November, Uber Systems, Inc. — the local unit of the ride-hailing platform — announced that around 171,000 drivers and riders in the Philippines were included in the 2016 security data breach which was reportedly only limited to the registered names, e-mail addresses, and phone numbers.
Around 57 million users of the app were affected globally after two individuals hacked into Uber’s account which was stored on a third-party cloud-based service.
Uber chief executive officer Dara Khosrowshahi in a statement last Nov. 21 assured that it did not affect the the company’s corporate systems.
Mr. Khosrowshahi also said that Uber took “immediate steps to secure the data and shut down further unauthorized access by the individuals” who accessed the system and implemented further safety measures. The Uber drivers were then notified and provided free credit monitoring and identity theft protection, he said.
Shortly after Uber Philippines notified the local authorities, NPC required personal information controllers to issue a report on the security breach.
“We are paying particular attention to the steps taken to ensure that in the future, data breaches of this magnitude will not be concealed from regulators and from affected data subjects,” Mr. Liboro said.
The commissioner also disclosed that NPC still continues to receive reporters of irregular processing which may be linked to the incident.
“As usual, we expect full cooperation from Uber on these matters,” he added.
Uber Philippines has yet to issue a statement on NPC’s order.
NPC also reminded the public that the concealment of data breaches which include personal information is a criminal offense which carries a penalty of at most five years of imprisonment and a fine of up to P1 million. — Anna G. A. Mogato