Officials of Uber Philippines have been summoned by the National Privacy Commission (NPC) to explain if any information from their local users was compromised in a massive breach the company experienced last year.
NPC commissioner Raymund Liboro said a meeting with Uber officials was set for Nov. 23, “to shed more light about the incident and to comply with the formal breach notification procedure” as required by the Data Privacy Act of 2012.
“The NPC is concerned about the possible impact of the breach on our citizens. By virtue of its operations and processing of Filipino end-user data, Uber is considered a personal information controller and must comply with Philippine data privacy and protection laws,” Liboro said in a statement.
On Tuesday Uber CEO Dara Khosrowshahi announced on company website that “two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use.”
While saying that the company had not seen any indication that details like credit card numbers and dates of birth were obtained, “some personal information of 57 million Uber users around the world” were downloaded in the breach.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts,” Khosrowshahi said.
Liboro said NPC wants Uber Philippines to provide a “detailed information on the nature of the breach, the personal data of Filipinos involved and the measures taken by Uber to address the breach.”