171,000 Filipinos seen affected by hacking of Uber website

The personal information of 171,000 Filipino Uber drivers and passengers had been compromised in a hack that Uber Technologies, Inc. deliberately hid from public knowledge for more than a year, a top official said.

Raymund Liboro, head of the National Privacy Commission (NPC) said only the users’ registered name, e-mail address, and phone number were compromised.

Liboro said in a statement that Uber Philippines, the local arm of the ridesharing company, had confirmed on Thursday that the extent of the impact was limited to these information.

However, he also noted receiving a report of “irregular processing” that suggests other data may have also been compromised, an allegation that the NPC would still have to confirm to establish its link to the 2016 data breach incident.

“We were informed that around 171,000 Filipino citizens consisting of drivers and passengers were affected by the breach. We understand this to be based on the mobile phone numbers included in the registry,” the Privacy Commissioner said.

“We were also informed that the exposure of the affected data subjects was limited to their registered name, e-mail address, and phone number,” he added.

This follows the admission made by the company’s US office last month, noting that the personal information of tens of millions of users worldwide had been compromised by a hack that Uber kept secret for more than a year.

Prior to Thursday, Uber Philippines could only confirm that Filipino users were also affected by the hack, but could not pin down the exact number of users whose personal information were actually compromised.

According to the privacy commissioner, Uber Philippines said there are 1.3 million active Uber riders in the country. The number of Uber drivers was still being validated but Liboro noted that it was below 100,000.

Uber’s explanation of the hack could be read in its website. There is an option for users to alert Uber if they think they’ve been hacked.

Uber Philippines neither confirmed nor denied if the company would actively inform users to let them know they were part of the 171,000 Filipinos whose personal information had been compromised.

Instead, Catherine Avelino, head of communications of Uber Philippines, referred the Inquirer to Uber’s blog post about the hack, noting that it has “everything we’re doing and have done.”

As of this writing, however, the blog post did not explicitly clarify if it would reach out to the users who were actually affected.

Liboro said they were now looking into the processes and procedures that Uber claims to have taken “to ensure that this matter never happens again.”

He said they have asked Uber to further explain their data processing operations particularly the organizational, technical and physical security measures.

“We are paying particular attention to the steps taken to ensure that in the future, data breaches of this magnitude will not be concealed from regulators and from affected data subjects,” he said, noting that concealment of data breaches is a criminal offense.

Liboro also said that further assistance to affected users could be included in NPC’s compliance order for Uber.

Up to now, it remains to be seen who would be held accountable. Uber Philippines previously claimed having no knowledge of the incident prior to the recent public admission made by its US office.

Under the Data Privacy Act of 2012, concealing security breaches that involve sensitive personal information faces a penalty that could reach up to five years of imprisonment and a fine of less than P500,000.

The punishments, according to the law, would be slapped on people who, after learning about the breach, decided to conceal the fact, regardless if this was done intentionally or by omission.

Read more...