Privacy watchdog: 171K PH users affected by Uber data breach
The personal information of 171,000 Filipino Uber drivers and passengers had been compromised in a hack that Uber Technologies Inc. deliberately hid from public knowledge for more than a year, according to the head of the government body looking into the extent and implications of the breach.
Raymund Liboro, head of the National Privacy Commission (NPC), said only the users’ registered name, e-mail address, and phone number were compromised.
In a statement, Liboro said Uber Philippines, the local arm of the ridesharing company, had confirmed on Thursday that the extent of the impact was limited to these bits of information.
However, the NPC chief also noted receiving a report of “irregular processing” that suggests other data may have also been compromised, an allegation that the commission would still have to confirm in order to establish its link to the 2016 data breach incident.
“We were informed that around 171,000 Filipino citizens consisting of drivers and passengers were affected by the breach. We understand this to be based on the mobile phone numbers included in the registry,” he said. “We were also informed that the exposure of the affected data subjects was limited to their registered name, e-mail address and phone number.”
It remains unclear if specific Uber users would be informed that they were hacked.
The company’s US office last month made an admission of the breach, noting that the personal information of tens of millions of users worldwide had been compromised by a hack that Uber kept secret for more than a year.
Prior to Thursday’s disclosure, Uber Philippines could only confirm that Filipino users were also affected by the hack, without giving exact numbers.
1.3M active riders
According to Liboro, Uber Philippines reported having 1.3 million active riders in the country. The number of Uber drivers, meanwhile, is still up for validation but Liboro gave an estimate of below 100,000.
Uber’s explanation of the hack could be read on its official website. There is also an option for users to alert Uber if they think they’ve been hacked.
Reached for comment on Friday, Uber Philippines neither confirmed nor denied if the company would actively inform users if they were among 171,000 Filipinos whose personal information had been compromised.
Instead, Catherine Avelino, head of communications of Uber Philippines, referred the Inquirer to Uber’s blog post about the hack, stressing it has “everything we’re doing and have done.”
Liboro said the NPC is now looking into the processes and procedures that Uber said it had taken “to ensure that this matter never happens again.”
“We are paying particular attention to the steps taken to ensure that in the future, data breaches of this magnitude will not be concealed from regulators and from affected data subjects,” he said, noting that concealment of data breaches is a criminal offense.
Liboro also said further assistance to affected users could be included in NPC’s compliance order for Uber.
Uber Philippines previously claimed having no knowledge of the incident prior to the recent public admission made by its US office.
Under the Data Privacy Act of 2012, concealing security breaches that involve sensitive personal information faces a penalty that could reach up to five years of imprisonment and a fine of less than P500,000.
The necessary penalties, according to the law, would be imposed on people who, after learning about the breach, decided to conceal the fact, regardless of whether it was done intentionally or by omission.
