November 24, 2017 | 7:42 PM GMT+0800 Last Edit: May 12, 2020
1. The National Privacy Commission summoned Uber to a meeting on Thursday, November 23, 5:30 PM to discuss the self-reported breach that was admitted by the CEO of the transport network vehicle service company.
2. Uber came to the meeting represented by its Data Protection Officer, Atty. Yves Gonzalez, accompanied by external counsel.
3. Unfortunately, Uber failed to provide the Commission with vital information at the meeting, especially on whether Filipino data are involved, citing limited information from their US Office.
4. We cannot rule out at that this time that any Filipino data was compromised.
5. Uber committed to respond in detail to the Commission’s queries about the nature of the breach, what data was involved, and what measures were applied to address the breach, as soon as confirmed data becomes available.
6. The Commission has set a 48-hour deadline for Uber to provide vital information about the breach.
7. The NPC has reminded Uber that the concealment of a data breach that involves sensitive personal information or information that, under the circumstances, can be used to enable identity fraud, is a criminal offense punishable under the Data Privacy Act of 2012.
8. The NPC has tapped its network of privacy regulators, particularly the Federal Trade Commission of the US, to share information on this incident.