Data Breach, Federal Trade Commission, News Events, Tip of the Week

Uber neglected to disclose a significant breach of consumer data that occurred in 2016

RISC

Uber neglected to disclose a significant breach of consumer data that occurred in 2016 and also mislead consumers about their privacy and data security practices according to the Federal Trade Commission. Uber allowed their employees access to riders’ personal information which included details of their trips.

The misinformation started in 2014 during which Uber referred to the issue as the “God View” mishap. Driver’s unencrypted personal, information including 100,000 names and driver’s license numbers stored in the datastore operated by Amazon Web Services, was hacked.

“The FTC alleges that Uber did not take reasonable, low-cost measures that could have helped the company prevent the breach.” For example, Uber did not require engineers and programmers to use distinct access keys to access personal information stored in the cloud. Instead, Uber allowed them to use a single key that gave them full administrative access to all the data and did not require multi-factor authentication for accessing the data. In addition, “Uber stored sensitive consumer information, including geolocation information, in plain readable text in database back-ups stored in the cloud.”

The revised settlement could subject Uber to civil penalties if it fails to notify the FTC of certain future incidents involving unauthorized access of consumer information.

“The FTC charged that the company had failed to live up to its claims that it closely monitored employee access to rider and driver data and that it deployed reasonable measures to secure personal information stored on a third-party cloud provider’s servers.”

The revised proposed complaint stated that Uber paid the intruders $100,000 through its 3rd party “bug bounty” program and did not disclose the breach to the consumers or the Commission until November 2017.

The Federal Trade Commission works to promote competition, protect, and educate consumers. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $41,484.

For more information and assistance email Train@RISCsecurity.com

 

Published by RISC

RISC Management & Consulting is an organization dedicated to information security and compliance, focused on healthcare & banking. RISC Management was founded by professionals with extensive experience in Healthcare, Information Security & Compliance to assist those organizations with obligations related to: HIPAA – The HITECH Act – HITRUST – Meaningful Use & ISO 27001 & 27002 RISC Management & Consulting offers several core practice areas to support the needs and legal obligations of our clients. All of our services are focused on getting you compliant with Privacy & Security requirements, quickly, completely, and affordably! To learn more about our Healthcare practice areas please visit www.RISCsecurity.com

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.