April 2018 – RISC Management and Consulting

Uber neglected to disclose a significant breach of consumer data that occurred in 2016 and also mislead consumers about their privacy and data security practices according to the Federal Trade Commission. Uber allowed their employees access to riders’ personal information which included details of their trips.

The misinformation started in 2014 during which Uber referred to the issue as the “God View” mishap. Driver’s unencrypted personal, information including 100,000 names and driver’s license numbers stored in the datastore operated by Amazon Web Services, was hacked.

“The FTC alleges that Uber did not take reasonable, low-cost measures that could have helped the company prevent the breach.” For example, Uber did not require engineers and programmers to use distinct access keys to access personal information stored in the cloud. Instead, Uber allowed them to use a single key that gave them full administrative access to all the data and did not require multi-factor authentication for accessing the data. In addition, “Uber stored sensitive consumer information, including geolocation information, in plain readable text in database back-ups stored in the cloud.”

The revised settlement could subject Uber to civil penalties if it fails to notify the FTC of certain future incidents involving unauthorized access of consumer information.

“The FTC charged that the company had failed to live up to its claims that it closely monitored employee access to rider and driver data and that it deployed reasonable measures to secure personal information stored on a third-party cloud provider’s servers.”

The revised proposed complaint stated that Uber paid the intruders $100,000 through its 3rd party “bug bounty” program and did not disclose the breach to the consumers or the Commission until November 2017.

The Federal Trade Commission works to promote competition, protect, and educate consumers. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $41,484.

For more information and assistance email Train@RISCsecurity.com

To date, the Federal Trade Commission (FTC) has sued hundreds of companies and individuals who were responsible for placing unwanted calls, and has obtained over a billion dollars in judgments against violators. In addition, the FTC has sponsored a series of robocall contests challenging the tech savvy public to design tools that block robocalls and help investigators track down and stop robocallers. The FTC also is encouraging industry efforts to combat caller ID spoofing.
Tips and Advice

For Identity Theft please visit IdentityTheft.gov. It is the federal government’s one-stop resource for identity theft victims. The site provides streamlined checklists and sample letters to guide you through the recovery process, see some examples below. For a printable checklist click here.

Step 1: Call the companies where you know fraud occurred.

Step 2: Place a fraud alert and get your credit reports.

Step 3: Report identity theft to the FTC.

You may choose to file a report with your local police department.

Close new accounts opened in your name.

Remove bogus charges from your accounts.

Correct your credit report.

Consider adding an extended fraud alert or credit freeze.

How to Keep Your Personal Information Secure Online and Offline

Protecting your personal information can help reduce your risk of identity theft. There are four main ways to do it: know who you share information with; store and dispose of your personal information securely, especially your Social Security number; ask questions before deciding to share your personal information; and maintain appropriate security on your computers and other electronic devices.

For Online Security click here

Limiting Unwanted Calls and Emails

Privacy Choices

Federal law provides you the right to stop some sharing of your financial information

Robocalls

You are allowed to block unwanted calls. Telemarketing sales calls with recorded messages are generally illegal unless you have given the company written permission to call you. See how to below.

Do Not Call

Learn:

How to put your cell phone number on the National Do Not Call Registry. They provide tips to help you stop unwanted calls. Visit donotcall.gov to register your number or calling 1-888-382-1222 from the phone you want to register.
How to hang up on phone scammers and hold onto your money. Follow up by filing a complaint with the FTC.
About your rights when it comes to telemarketing calls including pre-recorded messages.

Spam

You can reduce unwanted commercial emails. Text message spam is a triple threat: It often uses the promise of free gifts or product offers to get you to reveal personal information; it can lead to unwanted charges on your cell phone bill; and it can slow cell phone performance.

Text message Spam is illegal.

It’s illegal to send unsolicited commercial email messages to wireless devices, including cell phones and pagers, unless the sender gets your permission first. It’s also illegal to send unsolicited text messages from an auto-dialer — equipment that stores and dials phone numbers using a random or sequential number generator.

Exceptions to the law:

Transactional or relationship types of messages. If a company has a relationship with you, it can send you things like statements or warranty information.
Non-commercial messages. This includes political surveys or fundraising messages.

Good News

Those who violate the National Do Not Call Registry or place an illegal robocall can be fined up to $41,484 per call.