Singapore

380,000 people in Singapore exposed in 2016 Uber hack

Authorities probing incident, including whether firm breached any laws

Personal information of 380,000 people here, including names, e-mail addresses and mobile phone numbers, were exposed when Uber was hacked in 2016, the ride-sharing company disclosed yesterday - owning up to what is Singapore's largest data breach to date.

Weeks after Uber came under fire for trying to conceal the hack that involved 57 million Uber riders and drivers worldwide, the true extent of the problem here is only starting to become clear.

Singapore authorities said that they are investigating the incident, including if the company had breached any laws.

Said privacy watchdog Personal Data Protection Commission (PDPC): "Uber's breach has affected a significant number of users in Singapore. The PDPC takes a serious view of data breaches and is investigating whether Uber has breached the data protection provisions of the Personal Data Protection Act (PDPA)."

The Land Transport Authority (LTA) said it "expects Uber to be fully transparent and cooperate with local regulators".

"Uber, as a transport service provider, should be held to high standards of public accountability in both ensuring commuter safety as well as complying with the PDPA," said an LTA spokesman.

The PDPC takes a serious view of data breaches and is investigating whether Uber has breached the data protection provisions of the Personal Data Protection Act (PDPA). Personal Data Protection Commission

While Uber has not disclosed the total number of riders and drivers here, Uber Singapore's general manager, Mr Warren Tseng, told The Straits Times in May that "over a million" people here actively use the app.

It emerged last monthUber paid US$100,000 (S$135,000) to the hacker responsible for the October 2016 hack to destroy the information in an effort to cover up the breach. Forensics experts hired by Uber said information such as credit card numbers or dates of birth were not exposed.

Yesterday, Uber said riders do not need to take action as it has not seen evidence of fraud or misuse. But it encouraged users to report anything unusual related to their accounts.

The company had earlier dismissed any link between the hack and reports of users here getting billed for rides they did not take.

In one instance, Uber rider Jenna Lim claimed that $1,300 worth of Uber rides she did not take were billed to her over a period of five days in November.

Uber said last month it had "no reason to believe" the two events are related.

Cybersecurity experts warned that a data breach could still be harmful even if it did not expose financial information.

Said Mr Sumit Bansal, managing director of Asean and Korea at network security firm Sophos: "By having these personal details, hackers can potentially guess your password and obtain clues about how you create passwords."

Technology