SINGAPORE: Ride-hailing service provider Uber on Friday (Dec 15) said that 380,000 Singapore users were affected in the massive data breach that took place in 2016.



In a note on its website, Uber said that this figure was "an approximation rather than an accurate and definitive count because sometimes the information we get through the app or our website that we use to assign a country code is not the same as the country where a person actually lives".



"When the incident happened, we took immediate steps to secure the data, shut down further unauthorised access, and strengthen our data security," the company wrote.

It added that it does not believe any individual rider needs to take any action. "We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection."

The data breach was first disclosed by Uber CEO Dara Khosrowshahi in a statement last month, which said that hackers found 57 million names, email addresses, mobile phone numbers and driver license information belonging to users and drivers of the service. To keep the breach secret, the hackers were paid US$100,000 to destroy the data.



When asked why the company did not issue an apology after the initial disclosure as well as on Friday, Uber's head of communications for Southeast Asia Leigh Wong told Channel NewsAsia in an email: "We have indeed released the numbers and our CEO has indeed commented - at length - on the matter here", with an embedded link pointing to the CEO's statement in November.



He also declined to comment further on other questions beyond what was stated on the website.

The Personal Data Protection Commission (PDPC) told Channel NewsAsia on Friday that it takes a "serious view" of data breaches and is investigating whether Uber has breached the data protection provisions of the Personal Data Protection Act (PDPA).

"Uber has assured the PDPC that no credit card or bank account numbers had been compromised, and that it had since taken steps to address the vulnerability. We expect Uber’s full cooperation in the course of the investigation," a PDPC spokesperson said.

It also reminded all companies to take the protection of their customers' personal data seriously, as beyond regulatory considerations, failure to do so will affect the reputation of an organisation and erode the trust it has built with customers.



"HIGH STANDARDS OF PUBLIC ACCOUNTABILITY" EXPECTED: LTA

The Land Transport Authority (LTA) also said on Friday that it was "concerned" about the reported data breach at Uber.

"Uber, as a transport service provider, should be held to high standards of public accountability in both ensuring commuter safety as well as complying with the PDPA in relation to the personal data of commuters or drivers that they have collected," the spokesperson said.

She added that LTA expects the company to be "fully transparent" and cooperate with local regulators to disclose the extent of those drivers and customers that have been affected here. ​​​​​​​



Uber is slowly shedding more light on the extent of the breach, country by country. On Tuesday, it announced that about 815,000 Canadians were hacked, days after the country’s privacy commissioner said it is opening a formal investigation into the 2016 incident, according to Canadian news media reports.

After the data breach was first made public last month, a company spokesperson had said then that Uber was in the process of notifying various regulatory and government authorities and it expects to have ongoing discussions with them. Singapore’s Personal Data Protection Commission said it was aware of the incident and is in touch with the company for more details.