LTFRB sets probe into Uber data breach

By on November 29, 2017


The Land Transportation Franchising and Regulatory Board (LTFRB) will conduct its investigation on the data breach involving personal data of users of ridesharing firm Uber in the Philippines.(ShutterStock)
The Land Transportation Franchising and Regulatory Board (LTFRB) will conduct its investigation on the data breach involving personal data of users of ridesharing firm Uber in the Philippines. (ShutterStock)

MANILA — The Land Transportation Franchising and Regulatory Board (LTFRB) will conduct its investigation on the data breach involving personal data of users of ridesharing firm Uber in the Philippines.

This comes following the admission of Uber that information of Filipinos were exposed in a massive breach involving 57 million users worldwide dating back to October 2016.

“The Board will be calling Uber’s attention on the matter of its alleged admission on the breach of data privacy and will conduct its own investigation,” LTFRB board member Aileen Lizada said in a text message to reporters on Wednesday.

“The board needs to hear Uber’s side to allow us to judiciously resolve the matter,” she added.

The National Privacy Commission (NPC) is currently conducting its investigation on possible criminal and civil liabilities that the transportation network company may face under the Data Privacy Act of 2012.

“While Uber has repeatedly asserted that there has been no evidence of fraud or misuse tied to the incident, the concealment of a data breach bears serious consequences under the Data Privacy Act of 2012,” according to Privacy Commissioner Raymund Liboro.

“If so qualified, those responsible for the concealment of the breach and for the exfiltration of the data may face serious civil and criminal liability,” he added.

The NPC head further said that Uber has failed to provide comprehensive information on the data breach such as the actual number of Filipinos affected and the scope of the exposure.

The NPC considers Uber as a Personal Information Controller and should provide detailed information on the nature of the incident, the scope of measure, and the remedial measures taken.

For its part, Uber disclosed that two individuals outside the company inappropriately accessed user data stored on a third-party cloud-based service that it uses.

The compromised data included the names and drivers of about 600,000 drivers in the United States and some personal information, such as names, email addresses, and mobile phone numbers of 57 million Uber users around the world.

Uber assured that the incident did not breach its corporate systems nor was there any indication that trip location history, credit card numbers, bank account numbers, or dates of birth were downloaded.

Filipino data subjects were affected, but there was no indication that any driver’s license was downloaded, it said.

Uber has implemented security measures to restrict access and strengthen controls on their cloud-based storage accounts.

It has also placed an information page within the Accounts and Payment Options menu within the Help section of the Uber app. Filipino data subjects may avail of this feature.

The Data Privacy Act penalizes the concealment of security breaches involving sensitive information with imprisonment ranging from 18 months to five years and a fine of not less than PHP500,000.