[BreachExchange] Uber Rider or Driver? You Were Subject to Deceptive Privacy Claims, Says FTC
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Aug 17 19:17:30 EDT 2017
https://www.inc.com/erik-sherman/new-ftc-uber-settlement-is-another-reason-
travis-k.html
Ride with Uber? Drive with them? Your data may not have been secure or
private, according to a settlement today with the Federal Trade Commission
complaint over deceptive claims as announced in an agency conference call
today.
It's another fiasco from when co-founder Travis Kalanick ran the company --
and just one more reason why he should not regain control.
Although the company faces no financial penalty because there was no
financial loss to consumers, Uber agreed to have its data security and
privacy mechanisms audited every two years by a third party.
The settlement today stems from 2014 news reports that Uber employees had
broad access to private data of consumers using the service. At the time,
Uber responded with a strong statement about its strict privacy policy.
But, according to the FTC complaint, there were stretches of many months
where monitoring mechanisms and alerts were ignored. The data included
geolocation information -- pickup and destination points available from its
so-called "God View" tracking tool -- that can be paired with other
information for a prying look into someone's activities.
In addition, in May 2014, a massive data breach of Uber's accounts on
Amazon's cloud service -- made possible when an engineer posted an access
key providing "full administrative privileges" -- affected 100,000 people
registered as Uber drivers. Data taken included names and driver's license
numbers as well as unencrypted information for 215 bank accounts and 84
unencrypted Social Security numbers.
Unencrypted storage of private data is the sort of action that makes
experienced software engineers and security experts roll their eyes in
disbelief. It's like living in a city and leaving your front door unlocked
all the time.
Acting FTC chairman Maureen Ohlhausen made clear that, when it comes to
privacy, "companies will be held accountable for their promises," whether
fast-growing startups or large established businesses. She also noted that
the FTC does not comment on ongoing investigations, so Uber could
potentially be facing future actions on other issues.
This isn't the first time that Uber has come under fire from the FTC. In
January 2017, Uber agreed to pay $20 million to settle charges that it made
exaggerated earnings claims to recruit more drivers.
It's another brick in the foundation of Uber's troubled existence. Others
include charges of using software to evade law enforcement sting
operations, a culture that enabled sexual harassment and other problems,
and even running billions in the red each year when a path to ultimate
profitability, short of seeing all competitors disappear and then raising
prices, is unclear.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170817/1da5703e/attachment.html>
More information about the BreachExchange
mailing list