Uber confirms personal data of Filipino users exposed in breach
MANILA, Philippines — Ride-hailing firm Uber Philippines (Uber Systems, Inc.) has confirmed that personal information of Filipinos users were included in the reported data breach involving over 50 million users and drivers worldwide, the National Privacy Commission said Tuesday.
Uber made the confirmation in a letter to the NPC on Monday.
However, Uber failed to provide the commission more information about the data breach, including the actual number of Filipinos affected and the “scope of their exposure.”
“Under the principle of accountability, we require personal information controllers within our jurisdiction to provide detailed information on the nature of the incident, the scope of the exposure, and the remedial measures taken,” the NPC said in a press statement.
Despite its failure to disclose more detailed information about the compromised Filipino data, Uber, according to the NPC, nonetheless declared the following:
- Two individuals outside Uber inappropriately accessed user data stored on a third-party cloud-based service that Uber uses.
- The two Uber employees who led the response to the data breach are no longer with Uber.
- The compromised data includes the names and driver’s license of around 600,000 drivers in the United States and some personal information of 57 million Uber users around the world. The information included names, email addresses and mobile phone numbers.
- The incident did not breach Uber’s corporate systems; there is no indication that trip location history, credit card numbers, bank account numbers, or dates of birth were downloaded.
- Filipino data subjects are affected, but there is no indication that any Filipino driver’s licenses were downloaded.
- Uber has implemented security measures to restrict access to and strengthen controls on their cloud-based storage accounts.
Serious consequences
Uber Chief Executive Officer Dara Khosrowshahi last week confirmed to Bloomberg US that a massive data breach happened last year and that it was concealed by its former chief security officer and one of his deputies.
“While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection,” Khosrowshahi was quoted as saying.
“None of this should have happened, and I will not make excuses for it,” he added.
READ: Uber reveals cover-up of hack affecting 57M riders, drivers
In the same press statement on Tuesday, the NPC reminded Uber that concealment of a data breach “bears serious consequences” under the Data Privacy Act of 2012.
This was despite the company’s repeated assurance that there had been no evidence of fraud or misuse tied to the incident, the NPC noted.
“If so qualified, those responsible for the concealment of the breach and for the exfiltration of the data may face serious civil and criminal liability,” the privacy commission said.
“The investigation continues. We are also cooperating with the data privacy authorities of Australia and the United States on this matter,” it added.
“We appreciate the continued participation and cooperation of Uber in this investigation. On their own initiative, Uber has placed an information page available within the Accounts and Payment Options menu within the Help section of the Uber app. Filipino data subjects may avail of this feature.”
- Latest
- Trending