November ended on a bad note for app-based ride-sharing service Uber. On Monday (November 27), the National Privacy Commission (NPC) announced that Uber Philippines had confirmed to the agency that data on Philippines-based users were among those of the 57 million accounts from around the world that were compromised in a massive hacking against Uber’s parent company Uber Technologies Inc.
There is still no certainty about how this issue has impacted or will impact Filipino Uber drivers and passengers. NPC has warned that when proven that the company has intentionally concealed the problem to the regulators, Uber’s executives might be sued for violating Data Privacy Act of 2012, which could bring a sentence of up to five years imprisonment and up to P500,000 in fine.
To better understand this hacking problem that hit Uber, it would be better to look at where it all began. In October 2016, two hackers accessed Uber’s data through third-party cloud-based service GitHUb, a website that is popular among engineers and companies that store code and track projects online. According to some security experts, this hack was not even sophisticated as companies usually accidentally keep information in source codes uploaded in GitHub.
To resolve the problem, Uber Technologies paid the hackers $100,000 in exchange of an assurance that the data the latter inappropriately obtained be destroyed. In most countries where Uber operates, it is a violation of laws to pay hackers and not immediately report similar breaches to the authorities.
The timeline
Uber Technologies’ new CEO Dara Khosrowshahi assumed office on September 5 this year. According to reports published in The Wall Street Journal, Khosrowshahi was oriented about the problem two weeks after he got into office (or week of September 18). But the issue surfaced in the U.S. only on November 21.
According to reports, Khosrowshahi had reasons to keep this problem undisclosed to the public for a few weeks. He logically ordered an investigation after he learned about it and could have thought it would be appropriate to let the public know after the probe results are finalized. Uber Technologies also reportedly plans to fire two executives that allegedly covered the data breach in October 2016.
Why this matters to you
Uber Technologies assure that no trip location history, credit card details, bank account digits, or dates of birth were downloaded by hackers. It said the breach compromised data like names and license numbers of a portion of drivers and names, email addresses, and mobile numbers of up to 57 million Uber users (a fraction of its total users) globally.
However, some experts warn that an Uber hack could bring about worse aftermaths. This is because the company has not just users’ addresses and credit card information (though Uber claims that credit card details were not compromised) but also details on affected passengers’ movements and travel history. Thus, a smart hacker could easily find your home or office address or find out where you could possibly be at any given time.
In a report published in the Philippine Daily Inquirer on November 29, Uber Philippines claimed that it did not have prior knowledge about the breach. The company is yet to make any official announcement or statement to explain its side about the issue or clarify the extent of the impact of the global breach on Filipino Uber drivers and passengers.