THE National Privacy Commission (NPC) gave a transport network company (TNC) 48 hours to provide it with information on the extent of riders’ and drivers’ information that were leaked following a security breach.
“Unfortunately, Uber failed to provide the Commission with vital information at the meeting, especially on whether Filipino data are involved, citing limited information from their US Office,” said NPC Commissioner Raymund Enriquez Liboro in a statement on Friday.
NPC summoned Uber to a meeting on Thursday, November 23, to discuss Chief Executive Officer Dave Khosrowshahi’s public admission that personal data of an estimated 50 million Uber users and 7 million drivers were compromised in a security incident dating back to October 2016, and that the TNC concealed it.
“We cannot rule out at that this time that any Filipino data was compromised,” Liboro said.
Liboro said Uber committed to respond in detail to the Commission’s queries about the nature of the breach, what data was involved, and what measures were applied to address the breach, as soon as confirmed data had become available.
“The NPC has reminded Uber that the concealment of a data breach that involves sensitive personal information or information that, under the circumstances, can be used to enable identity fraud, is a criminal offense punishable under the Data Privacy Act of 2012,” said Liboro.
He said the NPC has tapped its network of privacy regulators, particularly the Federal Trade Commission of the US, to share information on this incident.
Liboro said Uber came to Thursday’s meeting represented by its Data Protection Officer, lawyer Yves Gonzalez, accompanied by external counsel. ANNA LEAH E. GONZALES