Uber Philippines may face another penalty after its headquarters in the United States failed to immediately disclose the data breach last year.
This was according to Raymund Liboro, commissioner of the National Privacy Commission (NPC), the Philippines’ independent body that ensures the country’s compliance to data protection standards.
Dara Khosrowshahi, Uber’s newest CEO, disclosed on Nov. 21 that Uber was hacked last year in October, affecting personal data of 57 million users and 600,000 drivers around the world.
The NPC immediately called Uber Philippines to give more details on the incident and it was confirmed that Filipinos were among the users whose personal data were stolen.
Unfortunately, the ride-sharing company was not able to give the “level of detail that we expect from personal information controllers about data breach notifications, such as the actual number of Filipinos affected, and the scope of their exposure,” the NPC said.
When the hack happened last year, Uber did not inform regulators and authorities right away. They instead paid hackers $100,000 to delete the stolen data and kept the incident for a year.
“Under the Privacy Law, the minimum penalty for concealment of breach is about 1 1/2 to 5 years imprisonment and at least P1 million in fine,” Liboro said in a press briefing Tuesday, via a report by the Manila Standard.
Despite Uber having its main headquarters in the U.S., the NPC believes the issue is still under their jurisdiction because it involves Filipinos.
“By virtue of its operations and processing of Filipino end user data, Uber is considered a Personal Information Controller and must comply with Philippine data privacy and protection laws,” Liboro said on Nov. 22.
The Land Transportation Franchising and Regulatory Board (LTFB) is also doing their own investigation on the data breach. Aileen Lizada, an LTFRB board member, said they will be calling Uber to listen to their side.
“The Board will be calling Uber’s attention on the matter of its alleged admission on the breach of data privacy and will conduct its own investigation,” Lizada said.
“The board needs to hear Uber’s side to allow us to judiciously resolve the matter.”
In August, the LTFRB suspended Uber’s operation after finding out that Uber violated a July 26 order to stop accepting applications for accreditation of transport network vehicle services (TNVS).
Grab was included in the order, but Uber activated three vehicles the next day, Aileen Lizada said in an interview with CNN Philippines.
Uber was asked to pay a fine of P190 million as an exchange for lifting the suspension.