Uber failures led to 2014 hack exposing 100k drivers' details — FTC

Posted August 16, 2017

US regulators said on Tuesday that Uber Technologies Inc agreed to do more to protect the privacy of customer and driver data in settling allegations that the ride-hailing company had made deceptive privacy and data security claims. In May 2014, the names and licence plate numbers of 50,000 Uber drivers were exposed in a data breach.

"Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees' access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data", FTC Acting Chairman Maureen K. Ohlhausen said in a news release. In addition, the company will have to implement a new, comprehensive privacy program that directly addresses the risks related to new and existing products.

Uber's privacy practices came in for criticism in November of 2014, when it emerged that the company had an internal tool, "God View", that gave employees access to customers' geolocation data while en route.

Uber agreed to settle a USA investigation that found the ride-hailing company deceived consumers by failing to protect their sensitive data. The FTC found that while Uber publicly said it had policies in place to limit improper access to this data, it had stopped using a system to monitor employee access to "god view" after less than a year. In January, Uber agreed to pay $20 million to the FTC to settle separate claims that it misled drivers about both potential earnings and the cost of leasing cars from the company.

As part of this recent settlement, Uber "neither admits nor denies" any wrongdoing, but has agreed to implement the changes ordered by the FTC.

"It doesn't matter whether you're a fast-growing company like Uber, a long-established brick-and-mortar company, an app developer or a behind-the-scenes entity like a data broker".

Deadly Flooding, Heavy Rainfall in Nepal Strands Hundreds
Around 600 tourists, including 200 Indians, are stranded in Sauraha in Nepal's Chitwan district, authorities said on Sunday. The situation remained tense on Saturday along the basins of major rivers like Saptakoshi, Kankai, Babai, Rapti and Mohana.

Uber says it has strengthened its privacy and data security practices and will keep investing in security programs.

"We are pleased to bring the FTC's investigation to a close", an Uber spokesperson said in an emailed statement.

Uber noted that in 2015 it hired its first chief security officer and "now employ hundreds of trained professionals dedicated to protecting user information".

Uber's security team has grown considerably since the 2014 allegations.

"This settlement provides an opportunity to work with the FTC to further verify that our programs protect user privacy and personal information", he said.

Uber discovered the breach in September 2014, but according to the complaint, until March 2015 it was storing "sensitive personal information in the Amazon S3 Datastore in clear, readable text, including in database back-ups and database prune files, rather than encrypting the information".