Transportation giant Uber’s cover-up of a breach involving 57 million passengers and drivers has caused massive concerns about data privacy.
Instead of notifying the public and regulators about the breach, Uber paid the hackers US$100,000 (SGD$134,000) to delete the stolen data and keep the attack secret.
The Personal Data Protection Commission (PDPC), Singapore’s data privacy watchdog, proposed major changes to the Personal Data Protection Act, to require organisations to inform customers as soon as a breach is discovered. If the breach involves more than 500 individuals, the PDPC must also be informed within 72 hours so it can coordinate a response on a national level.
Singapore’s Cyber Security Agency (CSA) must also be involved once the breach involves critical infrastructure, such as the energy, telecommunications, and transport sectors, according to the proposal, which is expected to be discussed in Parliament next year.
“We have seen how successful cyberattacks overseas have disrupted essential services and affected the lives of citizens,” CSA chief executive David Koh told the
Straits Times. “We cannot afford to take a laissez faire approach.”
Uber has an office in almost every market it operates in, including Singapore. However, it is unclear whether Singapore’s data privacy laws apply to Uber.
“It depends on which Uber outfit owns and processes consumers’ personal data,” added Gilbert Leong, a senior partner at law firm Dentons Rodyk & Davidson. “Without mandatory disclosure requirements, consumers’ position is considerably weakened.”
Related stories:
XL Catlin: Are insurance clients starting to get cyberattack breach fatigue?
Beazley in signature cyber coverage overhaul
Nationwide survey highlights cyberattack numbers in US
