Uber is to face 20 years of privacy audits after settling Federal Trade Commission (FTC) complaints that it deceived customers and didn't protect their personal data securely enough.
The ride-hailing firm has agreed to roll out a privacy programme that tackles any privacy risks to Uber's services, and protects people's personal information, as well as subjecting itself to a third-party audit every two years for the next 20 years.
It comes after alleged privacy breaches dating back to 2014 that led the FTC to file two complaints with the company.
"Uber failed consumers in two key ways: first by misrepresenting the extent to which it monitored its employees' access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data," said the FTC's acting chairman, Maureen Ohlhausen.
The FTC claims Uber allowed its employees to access personal customer and driver records after it decided to stop using a self-developed solution that monitored employee access to its customers' data. The monitoring platform was only in operation for less than a year and after it terminated the use, it didn't introduce any other process to monitor access.
Although at the time, Uber said its data was securely stored in its database, it has since transpired this wasn't the case and it actually failed to provide any kind of system that prevented unauthorised access to customers' confidential information.
Responding to media reports that Uber employees were improperly accessing customer data, Uber issued a statement in November 2014 saying a "strict policy" forbade such access to customer and driver information except for certain business purposes, and that their access would be closely monitored.
The following month it developed an automated system to monitor employee access to customer data, but the FTC claimed it stopped using this system less than a year later, and rarely monitored access for nine months afterwards.
Meanwhile, the FTC also claimed that while Uber said people's data was "securely stored within our databases", its security measures did not prevent unauthorised access to databases stored in Amazon Web Services' cloud. That allegedly enabled an intruder to steal 100,000 names and driver's license numbers from Uber's database in May 2014.
"This case shows that, even if you're a fast growing company, you can't leave consumers behind: you must honour your privacy and security promises," Ohlhausen said.
-
Netgear WBE710 reviewReviews The compact WBE710 delivers great cloud management features and a good turn of Wi-Fi 7 speed – but it does have a premium price tag
-
Businesses are taking their eye off the ball with vulnerability patchingNews Security leaders are overconfident in their organization’s security posture while allowing vulnerability patching to fall by the wayside.
-
Uber hit with €290m fine for storing European driver data in the USNews The fine marks the latest imposed on Uber by the Dutch data protection authority
-
Uber says compromised third-party to blame for data breachNews Vulnerable third-party vendor Teqtivity sparks second major incident for Uber in the space of three months
-
Uber launches infosec hiring spree after attributing breach to LAPSUS$News The company also hinted at the belief that LAPSUS$ was also behind the attack on Rockstar Games over the weekend in a revealing update detailing the inner workings of the attack
-
Uber hacked via basic smishing attackNews The self-taught hacker impersonated an IT worker to gain an Uber employee's password, obtaining broad access to internal systems and posting taunting messages
-
Former Uber security chief to face fraud charges over hack coverup
News This is thought to be the first instance of a corporate information security officer criminally charged with concealing a hack
-
Former Uber CSO charged for data breach cover-upNews Joseph Sullivan allegedly paid $100,000 to conceal the ride-hailing firm's 2016 data breach
-
Uber CISO: There was no justification for hiding data breachNews Senators slam taxi firm for cover-up of hack affecting 57 million people
-
ICO: Uber data breach raises huge concernsNews The ICO and NCSC will investigate the impact on UK customers
