Statement of Privacy Commissioner Raymund Enriquez Liboro on the Uber Personal Data Breach

Press Statement
28/11/2017

1. Yesterday, Uber wrote to us in compliance with their commitment to provide more detailed information about their data breach of October 2016.

2. In that letter, Uber confirmed to us that personal information of Filipinos were exposed in the data breach. As such, the National Privacy Commission has jurisdiction over the data breach insofar as it affects these Filipino citizens.

3. Unfortunately, Uber failed to provide the level of detail that we expect from personal information controllers about data breach notifications, such as the actual number of Filipinos affected, and the scope of their exposure. However, they declared the following:

  
• Two individuals outside Uber inappropriately accessed user data stored on a third-party cloud-based service that Uber uses.
  
• The two Uber employees who led the response to the data breach are no longer with Uber.
  
• The compromised data includes the names and driver’s license of around 600,000 drivers in the United States and some personal information of 57 million Uber users around the world. The information included names, emailaddresses and mobile phone numbers.
• The incident did not breach Uber’s corporate systems; there is no indication that trip location history, credit card numbers, bank account numbers, or dates of birth were downloaded.
• Filipino data subjects are affected, but there is no indication that any Filipino driver’s licenses were downloaded.
• Uber has implemented security measures to restrict access to and strengthen controls on their cloud-based storage accounts.

4. Under the principle of accountability, we require personal information controllers within our jurisdiction to provide detailed information on the nature of the incident, the scope of the exposure, and the remedial measures taken.

5. While Uber has repeatedly asserted that there has been no evidence of fraud or misuse tied to the incident, the concealment of a data breach bears serious consequences under the Data Privacy Act of 2012.

6. If so qualified, those responsible for the concealment of the breach and for the exfiltration of the data may face serious civil and criminal liability.

7. We appreciate the continued participation and cooperation of Uber in this investigation. On their own initiative, Uber has placed an information page available within the Accounts and Payment Options menu within the Help section of the Uber app. Filipino data subjects may avail of this feature.

8. The investigation continues. We are also cooperating with the data privacy authorities of Australia and the United States on this matter.

9. We are not here to merely prosecute offenses against data privacy, but to work with all stakeholders to ensure that we keep moving toward a safer data ecosystem where data flows freely and securely.