FILIPINOS’ personal information have been compromised in the global data breach of California-based Uber Technologies Inc., according to the National Privacy Commission (NPC).
Privacy Commissioner Raymund E. Liboro on Tuesday reported the affirmation of Uber’s local unit personal information of Filipinos was exposed in the massive data breach last year.
“Yesterday, Uber wrote to us in compliance with their commitment to provide more detailed information about their data breach of October 2016. In that letter, Uber confirmed to us that personal information of Filipinos were exposed in the data breach,” Liboro said in a statement, explaining the agency now has official jurisdiction over the matter.
He added a meeting with Uber executives yielded scarce information, with NPC noting the transportation network company (TNC) “failed to provide the level of detail expected from personal-information controllers about data-breach notifications.”
Liboro said Uber failed to provide the NPC with the magnitude of the exposure of Filipinos and the number of passengers and users affected.
Uber has said that, while Filipino data subjects are affected, there is no indication that any Filipino driver’s licenses were downloaded.
Moreover, the TNC emphasized the incident did not breach Uber’s corporate systems and there is no indication that trip-location history, credit-card numbers, bank-account numbers or dates of birth were downloaded.
Last Wednesday night Uber CEO Dave Khosrowshahi said in a statement owning up to a global data breach affecting 50 million Uber users with international news citing personal information, such as names, e-mail addresses and phone numbers of passengers were stolen by hackers.
Uber concealed the incident for more than a year and paid off hackers $100,000 to delete the data. The TNC said two individuals inappropriately accessed user data stored on a third-party cloud-based service that Uber uses.
In the Data Privacy Act of 2012, personal information refers to “any information whether recorded in a material form, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.”
A personal-information controller, on the other hand, refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.
Under this Philippine legislation, concealment of security breaches involving sensitive personal information entails a prison term ranging from 18 months to five years and fines not less than P0.5 million.
The maximum penalty will be imposed for offenses that involve the personal data of at least 100 people.
The Data Privacy Act enforces a data-breach notification procedure, among the provisions of which is notification to the commission within 72 hours of knowledge of, or when there is reasonable belief by the personal-information controller or processor that a personal data breach has occurred.