The National Privacy Commission (NPC) said ride-sharing firm Uber has confirmed with the agency that personal information of Filipinos were among those exposed during a data breach in October 2016.
The agency said Uber made the disclosure in a letter as part of its commitment to provide more detailed information about the data breach, which reports said the company tried to conceal by paying ransom to hackers.
?In that letter, Uber confirmed to us that personal information of Filipinos were exposed in the data breach. As such, the National Privacy Commission has jurisdiction over the data breach insofar as it affects these Filipino citizens,? NPC chair Raymund Liboro said.
?Unfortunately, Uber failed to provide the level of detail that we expect from personal information controllers about data breach notifications, such as the actual number of Filipinos affected, and the scope of their exposure,? he said.
However, Liboro said Uber declared the following:
? Two individuals outside Uber inappropriately accessed user data stored on a third-party cloud-based service that Uber uses.
? The two Uber employees who led the response to the data breach are no longer with Uber.
? The compromised data includes the names and driver?s license of around 600,000 drivers in the United States and some personal information of 57 million Uber users around the world. The information included names, email-addresses and mobile phone numbers.
? The incident did not breach Uber?s corporate systems; there is no indication that trip location history, credit card numbers, bank account numbers, or dates of birth were downloaded.
? Filipino data subjects are affected, but there is no indication that any Filipino driver’s licenses were downloaded.
? Uber has implemented security measures to restrict access to and strengthen controls on their cloud-based storage accounts.
Under the principle of accountability, Liboro said the NPC requires personal information controllers within the Philippines to provide detailed information on the nature of the incident, the scope of the exposure, and the remedial measures taken.
While Uber has repeatedly asserted that there has been no evidence of fraud or misuse tied to the incident, the NPC warned that concealment of a data breach has serious consequences under the Data Privacy Act of 2012.
If so qualified, those responsible for the concealment of the breach and for the exfiltration of the data may face serious civil and criminal liability, the commission said.
?We appreciate the continued participation and cooperation of Uber in this investigation. On their own initiative, Uber has placed an information page available within the Accounts and Payment Options menu within the Help section of the Uber app. Filipino data subjects may avail of this feature,? it said.
Liboro said it still investigating the issue and cooperating with data privacy authorities of Australia and the United States.
?We are not here to merely prosecute offences against data privacy, but to work with all stakeholders to ensure that we keep moving toward a safer data ecosystem where data flows freely and securely,? he said.