Uber to bend over, take privacy probe every two years for next 20 years
FTC forces taxi app upstart to let in auditors after complaints of data security cockups
Uber and America's trade watchdog have reached a settlement following claims the taxi app maker lied about the extent to which its staff can mine customers' personal info for fun.
The Federal Trade Commission's formal complaint [PDF] against the troubled San Francisco biz slammed the upstart's God View – a program that displayed every driver's and passenger's movements live during a party – and its staff for allegedly looking through user accounts for no good reason. Pop siren Beyonce was among the celebs and normal folk who had their records pried up by nosy Uber workers, it is claimed.
"Uber has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data," the biz said in response to the claims. "The only exception to this policy is for a limited set of legitimate business purposes. Our policy has been communicated to all employees and contractors."
Uber said it had set up a system to detect unauthorized accesses to ensure customers' data remained out of the hands of prying staff, and the FTC notes it did so in December. However, this monitoring system was never finished nor staffed, the FTC found, and in August 2015 Uber stopped using it altogether and didn't install a new one until May 2016.
As well as this lapse in customer privacy, Uber was also slack with security, according to the watchdog. Despite repeated statements on its website claiming to protect people's information, the FTC found that Uber wasn't doing so – and so did at least one hacker.
On May 12, 2014, an Uber engineer uploaded to GitHub the keys to an Amazon S3 bucket containing internal records on thousands of drivers. Someone spotted the key and used it to access over 100,000 unencrypted names and driver’s license numbers, 215 unencrypted names and bank account and domestic routing numbers, and 84 unencrypted names and Social Security numbers from the AWS bucket.
Uber didn’t even discover the mistake until September 2014 and was tardy in warning its cabbies, the FTC found. Some drivers didn't get a warning letter about the break-in until July 2016, after it found the intrusion was more widespread than first thought. It was initially thought that 50,000 drivers were exposed by the Git cockup – the real number turned out to be double that.
“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,” said FTC acting chairman Maureen Ohlhausen today.
“This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”
As part of the settlement [PDF] Uber promises to protect its customer and driver data more carefully, and will hire a third party auditor to check that it's doing so every two years for the next two decades. It can be fined $40,654 per offense if it breaks the settlement. ®