Uber’s August Settlement with the FTC and New Data Insecurity Revelations

Cybersecurity Digest Reports Privacy

This August, Uber settled FTC allegations of deceptive privacy and data security claims by agreeing to a privacy program and obtaining regular and independent audits. The FTC alleged that Uber falsely told its customers their personal information was monitored by data security specialists on an ongoing basis and that Uber was providing reasonable security for its customers’ personal information stored in databases. The company’s misrepresentation of its data security policies would therefore constitute “unfair or deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a).”

Uber’s privacy and data security claims were made after press coverage that detailed employees’  broad access to customer data. In response to the articles, Uber issued a public statement that explained that access to driver and rider accounts was being monitored and audited by data security specialists on an ongoing basis. In the FTC Complaint, however, the agency alleged that Uber had not held true to their word. Although Uber developed an automated system to monitor employee access of customer data in December 2014, Uber stopped using that system by August 2015. By May 2016, Uber had stopped properly following up on alerts of potential misuse of customer data.

Furthermore, Uber represented to the public and its customers that customer data was safely secured. Uber has stored customer data in Amazon S3 Datastore, a third-party data storage system. The FTC alleged that Uber failed to provide reasonable security to prevent unauthorized access. This relaxed security resulted in a data breach in May 2014, when an intruder accessed personal information of Uber drivers, including over 100,000 unencrypted names and driver’s license numbers, 215 unencrypted names, bank account, and domestic routing numbers, and 84 unencrypted names and Social Security numbers.

Uber collects personal information from users of its ride-sharing app. Uber drivers provide the company with their names, email addresses, phone numbers, postal addresses, profile pictures, Social Security numbers, driver’s license information, bank account information (including domestic routing and bank account numbers), vehicle registration information, and insurance information. Uber riders provide their names, email addresses, postal addresses, and profile pictures. Uber also collects geolocation information on both drivers and riders when they are using the app.

In light of these charges, Uber agreed to a settlement and, according to a FTC Press Release,  was “prohibited from misrepresenting how it monitors internal access to consumers’ personal information; prohibited from misrepresenting how it protects and secures that data; required to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services and protects the privacy and confidentiality of personal information collected by the company; and required to obtain within 180 days, and every two years after that for the next 20 years, independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.” 

Last week, the agency announced that it is looking into new allegations of a recently publicized Uber data breach from 2016, after hackers stole personal data of 57 million customers and th e company paid $100,000 to delete the data. In that attack, according to news reports, hackers used login credentials obtained from a private coding site used by Uber engineers to access Uber customer data stored in an Amazon Web Services account. When Uber discovered the attack, they paid the hackers to delete the stolen data. Uber further failed to disclose the hack to the affected customers until recently.  

By failing to disclose the data breach and paying off the hackers, Uber may have broken FTC rules and state disclosure laws, according to The New York Times. The New York State Attorney General is also investigating the incident.

 

Noah Resnick is a 1L student at Harvard Law School.