Uber Technologies, Inc. has agreed to implement a privacy program and obtain independent audits in the next 20 years to settle Federal Trade Commission (FTC) charges that it failed to protect consumer and driver data.
As an independent agency of the U.S. federal government, the FTC announced the settlement Tuesday in Washington, D.C.
One of FTC charges was that due to the San Francisco-based company's failure to provide ride-hailing services, an intruder accessed personal information about Uber drivers in May 2014, including more than 100,000 names and drivers' license numbers that Uber stored in a datastore operated by Amazon Web Services.
In addition, following media reports alleging Uber employees were improperly accessing consumer data, the company stated in November 2014 that it had a "strict policy prohibiting" employees from accessing rider and driver data, except for a limited set of legitimate business purposes, and that employee access would be closely monitored.
However, the FTC found that Uber developed an automated system for monitoring employee access to consumer personal information in December 2014, but the company stopped using the system less than a year after it was put in place; and that for more than nine months afterwards, the company rarely monitored internal access to personal information about users and drivers.
The FTC alleged that Uber did not require engineers and programmers to use distinct access keys to access personal information stored in the cloud. Instead, it allowed them to use a single key that gave them full administrative access to all the data, and did not require multi-factor authentication for accessing the data. And, it stored sensitive consumer information, including geolocation information, in plain readable text in database back-ups stored in the cloud.
"Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees' access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data," FTC Acting Chairman Maureen Ohlhausen was quoted as saying in a news release. "This case shows that, even if you're a fast growing company, you can't leave consumers behind: you must honor your privacy and security promises."
To settle with the FTC, Uber agreed not to misrepresent its monitoring of internal access to consumers' personal information and its protection of such data; agreed to implement a program that addresses privacy risks related to new and existing products and services and protects the privacy and confidentiality of personal information; and agreed to obtain every two years for the next 20 years, independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.
