Statement of Privacy Commissioner Raymund Enriquez Liboro on the personal data breach sustained by Uber in 2016

Late last night, Uber Chief Executive Officer Dave Khosrowshahi issued a statement to the public announcing that personal data of around 50 million Uber users and 7 million Uber drivers were compromised in a security incident dating back to October 2016, and that Uber concealed the fact of this security incident.

The National Privacy Commission (NPC) is concerned about the possible impact of the breach on our citizens. By virtue of its operations and processing of Filipino end user data, Uber is considered a Personal Information Controller and must comply with Philippine data privacy and protection laws.

To this end, we have summoned Uber to a meeting on November 23, 2017 to shed more light about the incident and to comply with the formal breach notification procedure as provided by the Data Privacy Act of 2012 (Republic Act No. 10173). This includes providing the NPC with detailed information on the nature of the breach, the personal data of Filipinos possibly involved, and the measures taken by Uber to address the breach.

We will release vital information to the public as they become available.