UBER fails to provide data on breach – NPC
UBER Philippines has failed to provide the National Privacy Commission (NPC) vital information whether Filipino data were involved in the self-reported breach of its riders and drivers, making it difficult for NPC to rule out that Filipino data was compromised.
NPC Commissioner Raymund Liboro reported that Uber was represented by its Data Protection Officer Yves Gonzalez at the meeting called by the former on Thursday to discuss UBER CEO Dave Khosrowshahi statement on Tuesday, Nov. 21, announcing that personal data of around 50 million UBER users and 7 million UBER drivers were compromised in a security incident dating back to October, 2016, and that Uber concealed the fact of this security incident.
Unfortunately, Liboro said, UBER failed to provide the Commission with vital information at the meeting, especially on whether Filipino data are involved, citing limited information from their US Office.
“We cannot rule out at this time that any Filipino data was compromised,” he said.
But Liboro said that UBER committed to respond in detail to the Commission’s queries about the nature of the breach, what data was involved, and what measures were applied to address the breach, as soon as confirmed data becomes available.
The Commission had set a 48-hour deadline for Uber to provide vital information about the breach. The NPC has reminded Uber that the concealment of a data breach that involves sensitive personal information or information that, under the circumstances, can be used to enable identity fraud, is a criminal offense punishable under the Data Privacy Act of 2012.
The NPC has tapped its network of privacy regulators, particularly the Federal Trade Commission of the US, to share information on this incident.
Following the UBER CEO’s public announcement, NPC immediately called UBER’s attention on concern about the possible impact of the breach on our citizens.
By virtue of its operations and processing of Filipino end user data, UBER is considered a Personal Information Controller and must comply with Philippine data privacy and protection laws.
NPC wanted UBER to shed more light about the incident and to comply with the formal breach notification procedure as provided by the Data Privacy Act of 2012 (Republic Act No. 10173). This includes providing the NPC with detailed information on the nature of the breach, the personal data of Filipinos possibly involved, and the measures taken by UBER to address the breach.