November 28, 2017 | 11:51 AM GMT+0800 Last Edit: November 28, 2017
1. Yesterday, Uber wrote to us in compliance with their commitment to provide more detailed information about their data breach of October 2016.
2. In that letter, Uber confirmed to us that personal information of Filipinos were exposed in the data breach. As such, the National Privacy Commission has jurisdiction over the data breach insofar as it affects these Filipino citizens.
3. Unfortunately, Uber failed to provide the level of detail that we expect from personal information controllers about data breach notifications, such as the actual number of Filipinos affected, and the scope of their exposure. However, they declared the following:
4. Under the principle of accountability, we require personal information controllers within our jurisdiction to provide detailed information on the nature of the incident, the scope of the exposure, and the remedial measures taken.
5. While Uber has repeatedly asserted that there has been no evidence of fraud or misuse tied to the incident, the concealment of a data breach bears serious consequences under the Data Privacy Act of 2012.
6. If so qualified, those responsible for the concealment of the breach and for the exfiltration of the data may face serious civil and criminal liability.
7. We appreciate the continued participation and cooperation of Uber in this investigation. On their own initiative, Uber has placed an information page available within the Accounts and Payment Options menu within the Help section of the Uber app. Filipino data subjects may avail of this feature.
8. The investigation continues. We are also cooperating with the data privacy authorities of Australia and the United States on this matter.
9. We are not here to merely prosecute offenses against data privacy, but to work with all stakeholders to ensure that we keep moving toward a safer data ecosystem where data flows freely and securely.