The personal information of a yet undetermined number of Filipino Uber users have been compromised in a breach late last year, a cyber-hacking that the company’s US office deliberately hid from public knowledge for more than a year now.
This is according to the National Privacy Commission (NPC), which said that Uber Philippines wrote to the agency on Monday to confirm that data of Filipino users were included in the millions of data stolen in October 2016.
Uber, however, claimed they could not give the extent of the impact of the breach.
Nevertheless, the NPC said that whether the stolen data was abused for fraud or other purposes or not, concealing the breach “bears serious consequences” under the law.
“In that letter, Uber confirmed to us that personal information of Filipinos were exposed in the data breach,” the NPC said in the statement.
“Unfortunately, Uber failed to provide the level of detail that we expect from personal information controllers about data breach notifications, such as the actual number of Filipinos affected, and the scope of their exposure,” it also said.
It has been more than a week since Uber Technologies Inc. admitted that it was hacked in October 2016, with “some personal information of 57 million Uber users” all over the world compromised. How this impacted Filipino users remains a mystery, even to the NPC.
While the ride-sharing company assured that the necessary actions have been made, Uber still purposely screened the information from the public until months into the term of its newest chief executive officer. Uber Philippines, for its part, claimed that it did not have prior knowledge about the breach.
‘Serious consequences’
“While Uber has repeatedly asserted that there has been no evidence of fraud or misuse tied to the incident, the concealment of a data breach bears serious consequences under the Data Privacy Act of 2012,” the NPC said.
Under the Data Privacy Act of 2012, concealing security breaches that involve sensitive personal information face a penalty that could reach up to five years of imprisonment and a fine of less than P500,000.
The necessary punishments, according to the law, would be slapped on people who — after learning about the breach — decided to conceal the fact, regardless if this were done intentionally or by omission.
“If so qualified, those responsible for the concealment of the breach and for the exfiltration of the data may face serious civil and criminal liability,” the NPC noted.
NPC is cooperating with its counterpart authorities in Australia and the United States on this matter, the agency said.
What was hacked?
Uber representatives deferred from commenting on the issue, even when asked about the latest number of active Uber users. There is an information page available under the “Accounts and Payment” option menu in the help section of the Uber app.
“We do not believe any individual rider needs to take any action,” Uber said in its app.
According to the blog post made by Uber CEO Dara Khosrowshahi, the hackers were able to download names, e-mail addresses, and mobile phone numbers of users across the globe; and the license numbers of drivers in the United States.
The company assured that no other data was stolen, noting that the necessary measures have been taken. Later, news organizations reported that Uber paid hackers $100,000 in order to destroy the stolen data.
According to NPC, Uber claimed that there is “no indication” that any Filipino driver’s license was downloaded. /kga