Uber Technologies, Inc. will implement a privacy programme and obtain independent audits in the next 20 years to settle Federal Trade Commission (FTC) charges that it failed to protect consumer and driver data.
As an independent agency of the US federal government, the FTC announced the settlement on Tuesday in Washington, Xinhua news agency reported.
One of FTC charges was that due to the San Francisco-based company’s failure to provide ride-hailing services, an intruder accessed personal information about Uber drivers in May 2014, including more than 100,000 names and drivers’ license numbers that Uber stored in a data-store operated by Amazon Web Services.
Following media reports alleging Uber employees were improperly accessing consumer data, the company in November 2014 said it had a “strict policy prohibiting” employees from accessing rider and driver data, except for a limited set of legitimate business purposes, and that employee access would be closely monitored.
However, the FTC found that Uber developed an automated system for monitoring employee access to consumer personal information in December 2014, but the company stopped using the system less than a year after it was put in place.
The federal agency found that for more than nine months afterwards, the company rarely monitored internal access to personal information about users and drivers.
The FTC said Uber did not require engineers and programmers to use distinct access keys to access personal information stored in the cloud.
Instead, it allowed them to use a single key that gave them full administrative access to all the data, and did not require multi-factor authentication for accessing the data.
And, it stored sensitive consumer information, including geolocation information, in plain readable text in database back-ups stored in the cloud.
“Uber failed consumers in two key ways — by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and by misrepresenting that it took reasonable steps to secure that data,” FTC Acting Chairman Maureen Ohlhausen said.
“This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”
To settle with the FTC, Uber agreed not to misrepresent its monitoring of internal access to consumers’ personal information and its protection of such data.
The company agreed to implement a programme that addresses privacy risks related to new and existing products and services and protects the privacy and confidentiality of personal information.
It will also obtain every two years for the next 20 years, independent, third-party audits certifying that it has a privacy programme in place that meets or exceeds the requirements of the FTC order.