Uber neglected to disclose a significant breach of consumer data that occurred in 2016 and also mislead consumers about their privacy and data security practices according to the Federal Trade Commission. Uber allowed their employees access to riders’ personal information which included details of their trips.
The misinformation started in 2014 during which Uber referred to the issue as the “God View” mishap. Driver’s unencrypted personal, information including 100,000 names and driver’s license numbers stored in the datastore operated by Amazon Web Services, was hacked.
“The FTC alleges that Uber did not take reasonable, low-cost measures that could have helped the company prevent the breach.” For example, Uber did not require engineers and programmers to use distinct access keys to access personal information stored in the cloud. Instead, Uber allowed them to use a single key that gave them full administrative access to all the data and did not require multi-factor authentication for accessing the data. In addition, “Uber stored sensitive consumer information, including geolocation information, in plain readable text in database back-ups stored in the cloud.”
The revised settlement could subject Uber to civil penalties if it fails to notify the FTC of certain future incidents involving unauthorized access of consumer information.
“The FTC charged that the company had failed to live up to its claims that it closely monitored employee access to rider and driver data and that it deployed reasonable measures to secure personal information stored on a third-party cloud provider’s servers.”
The revised proposed complaint stated that Uber paid the intruders $100,000 through its 3rd party “bug bounty” program and did not disclose the breach to the consumers or the Commission until November 2017.
The Federal Trade Commission works to promote competition, protect, and educate consumers. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $41,484.
For more information and assistance email Train@RISCsecurity.com