The National Privacy Commission on Friday said it had given Uber a 48-hour deadline to provide vital information on a breach of its data last year.
It summoned Uber to a meeting on Thursday over the data breach that was admitted by the CEO of the transport network vehicle service (TNVS) company.
“Unfortunately, Uber failed to provide the commission with vital information at the meeting, especially on whether Filipino data are involved, citing limited information from their US Office,” Commissioner Raymund Enriquez Liboro said in a statement.
Liboro added that Uber came to the meeting represented by its Data Protection Officer, lawyer Yves Gonzalez, accompanied by an external counsel.
Earlier this week, Uber Chief Executive Officer Dave Khosrowshahi issued a statement to the public, announcing that personal data of around 50 million Uber users and 7 million Uber drivers were compromised in a security incident dating back to October 2016, and that Uber concealed the fact of this security incident.
“ We cannot rule out at this time that any Filipino data were compromised,” Liboro said.
“What is important to us now is to know if there are sensitive data involved like riders data, financial transaction data and credit card data of Filipinos. If none, then good. If there are, we want to know to what extent,” he added.
Liboro said Uber committed to respond in detail to the commission’s queries about the nature of the breach, what data were involved and what measures were applied to address the breach, as soon as confirmed data become available.
“ The [commission]has reminded Uber that the concealment of a data breach that involves sensitive personal information or information that, under the circumstances, can be used to enable identity fraud, is a criminal offense punishable under the Data Privacy Act of 2012,” he noted.
Liboro said they have tapped Uber’s network of privacy regulators, particularly the Federal Trade Commission of the US, to share information on the incident.
“In instances like this, we also extend our understanding especially it is holiday in the United States so there’s a slowdown in getting information. Our actions will be based on what they will declare,” he added.
Liboro said the commission is yet to determine what action it will take if ever Uber fails to submit information within 48 hours.
“ They can just submit the vital information and the rest of the data can follow. What we want to know is how we can prevent this from happening again. But let us wait first for their report,” he added.
Another TNVS company, Grab Philippines, also on Friday assured its peers and users that all its data are kept secured, amid a hacking incident involving rival transport firm Uber.
“At Grab, we respect the privacy and confidentiality of our users’ data and operate in full compliance with the Data Security Act of 2012,” Leo Gonzales, Grab Philippines spokesman and Public Affairs head, said in a text message.
“We are committed to protecting our users’ data and would like to reassure all our partners that we have security and anti-fraud measures in place to ensure that their personal details remain safe and secure,” Gonzales added.
Earlier, Uber’s CEO revealed that the company was hacked in October last year, compromising personal information of 57 million Uber users.
“By virtue of its operations and processing of Filipino end user data, Uber is considered a Personal Information Controller and must comply with Philippine data privacy and protection laws,” the National Privacy Commission said.
with REICELENE N. IGNACIO