Transport network company Uber’s operations in the Philippines was among those hit in a massive data breach involving 57 million users worldwide dating back to October 2016.
In a statement Tuesday, the National Privacy Commission (NPC) warned that Uber may face serious criminal and civil liabilities under the Data Privacy Act of 2012.
“While Uber has repeatedly asserted that there has been no evidence of fraud or misuse tied to the incident, the concealment of a data breach bears serious consequences under the Data Privacy Act of 2012,” said Privacy Commissioner Raymund Liboro.
“If so qualified, those responsible for the concealment of the breach and for the exfiltration of the data may face serious civil and criminal liability,” he added.
Liboro explained that the transportation network company confirmed the information in a letter submitted Monday to the commission in compliance with their commitment to provide details on the data breach.
“Unfortunately, Uber failed to provide the level of detail that we expect from personal information controllers about data breach notifications, such as the actual number of Filipinos affected, and the scope of their exposure,” he explained.
The NPC considers Uber as a Personal Information Controller and should provide detailed information on the nature of the incident, the scope of measure, and the remedial measures taken.
For its part, Uber disclosed that two individuals outside the company inappropriately accessed user data stored on a third-party cloud-based service that it uses.
The compromised data included the names and drivers of about 600,000 drivers in the United States and some personal information, such as names, email addresses, and mobile phone numbers of 57 million Uber users around the world.
Uber assured that the incident did not breach its corporate systems nor was there any indication that trip location history, credit card numbers, bank account numbers, or dates of birth were downloaded.
Filipino data subjects were affected, but there was no indication that any driver’s license was downloaded, it said.
Uber has implemented security measures to restrict access and strengthen controls on their cloud-based storage accounts.
It has also placed an information page within the Accounts and Payment Options menu within the Help section of the Uber app. Filipino data subjects may avail of this feature.
The NPC assures that it will continue its investigation and will cooperate with the data privacy authorities of Australia and the US on the matter.
“We are not here to merely prosecute offenses against data privacy, but to work with all stakeholders to ensure that we keep moving toward a safer data ecosystem, where data flows freely and securely,” Liboro said.
Under the Data Privacy Act, a personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.
The law penalizes the concealment of security breaches involving sensitive information with imprisonment ranging from 18 months to five years and a fine of not less than P500,000.