Uber’s Endless Summer: FTC Settlement over Bogus Security, Privacy Claims

In-brief:  Uber’s Endless Summer continued on Tuesday, when the ride sharing start-up settled with the U.S. Federal Trade Commission (FTC) over charges that the company failed to reasonably secure sensitive consumer data that it collected and stored.

The U.S. Federal Trade Commission (FTC) said on Tuesday that it has reached a settlement with ride sharing firm Uber over charges that the company failed to reasonably secure sensitive consumer data that it collected and stored.

The San Francisco ride sharing giant agreed to to implement what the FTC described as a “comprehensive privacy program” and obtain regular, independent audits to settle charges in a FTC complaint that Uber didn’t adequately monitor employee access to consumer personal information and failed to reasonably secure sensitive consumer data stored in the cloud.

The complaint stemmed from reports that Uber employees were using access to customer data to snoop on the doings of celebrities and ex-lovers. The behavior was first noted in 2014 at which time Uber responded by implementing a strict prohibition on employee access to driver and customer data and implemented a monitoring program. But the FTC alleges that Uber stopped the monitoring program months after starting it and then, for almost a year, didn’t follow up on warnings about improper access to people’s private information.

In all, the information included more than 100,000 drivers’ names and license numbers.  The complaint alleges that Uber could have taken reasonable, low-cost measures that could have helped the company prevent the breach.

“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,” said FTC Acting Chairman Maureen K. Ohlhausen in a statement. “This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”

The reports, which first surfaced in 2014, have been corroborated by former employees, who say that company insiders are still able to monitor the doings of customers, despite a “strict policy prohibiting” employees from accessing rider and driver data.

Security Ledger wants to hear your thoughts! Leave a reply.