How much information does Uber have about its riders and drivers? A lot. The FTC just announced a settlement addressing charges that the company falsely claimed to closely monitor internal access to consumers’ personal information on an ongoing basis. The FTC also alleges that Uber failed to live up to its promise to provide reasonable security for consumer data.
Uber collects and maintains sensitive information about its riders – for example, names, addresses, profile pictures, and detailed trip records, including geolocation. When people sign up to be Uber drivers, the company collects a lot of data, too – Social Security numbers, driver’s license numbers, bank account numbers, car registrations, and the like.
The story behind the FTC’s complaint goes back to at least 2014. That’s when the company was the subject of news reports alleging that Uber employees had improperly accessed riders’ personal information. How did consumers react? Not well.
To respond to the controversy, Uber posted this statement on its site:
Uber has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data. The only exception to this policy is for a limited set of legitimate business purposes. Our policy has been communicated to all employees and contractors . . . .
The policy is also clear that access to rider and driver accounts is being closely monitored and audited by data security specialists on an ongoing basis, and any violations of the policy will result in disciplinary action, including the possibility of termination and legal action.
How did Uber store some of the sensitive information in its possession? Uber used a well-known third-party cloud storage service to maintain large amounts of it, including back-ups of its massive rider and driver databases. Uber claimed it “securely stored” personal information, using “standard, industry-wide, commercially reasonable security practices such as encryption, firewalls and SSL (Secure Socket Layers) . . . .”
If consumers expressed reluctance to provide personal data, customer service reps assuaged their concerns by promising that Uber was “extra vigilant” and that their information “will be stored safely and used only for purposes you’ve authorized. We use the most up to date technology and services to ensure that none of these are compromised.”
That’s what Uber said, but what was going on behind the scenes? According to the complaint, despite the promise of “ongoing” monitoring by data security specialists, the system Uber implemented in December 2014 wasn’t designed or staffed to effectively monitor the data that Uber workers were accessing, so the company abandoned it. From August 2015 until May 2016, Uber didn’t follow up in a timely fashion on alerts concerning the possible misuse of consumers’ personal information. For a particular six-month period, Uber only monitored access to the account information of a select group. Who? Certain high-profile users, including Uber executives.
The FTC also alleges that Uber engaged in practices that, taken together, failed to provide reasonable security for personal information in the cloud storage service. You’ll want to read the complaint for details, but according to the FTC, Uber let all programs and engineers that accessed the cloud storage service use a single access key that provided full admin privileges over everything Uber stored there, failed to restrict access based on employees’ job functions, failed to require multi-factor authentication for access, and stored sensitive information in clear, readable – in other words, unencrypted – text. What’s more, until September 2014, Uber failed to implement reasonable security training and guidance and didn’t even have a written information security program. According to the complaint, Uber could have prevented those failures by using readily available low-cost measures.
What was the upshot? In May 2014, an intruder used an access key an Uber engineer had publicly posted on a code-sharing site to access the names and driver’s license numbers of 100,000 Uber drivers, as well as some bank account information and Social Security numbers. The FTC says Uber didn’t discover the breach for almost four months.
The proposed settlement prohibits Uber from misrepresenting its privacy and security practices. It also requires Uber to put a comprehensive privacy program in place and to get independent third-party audits every two years for the next 20 years. You can file a public comment about the settlement until September 15, 2017.
If you or your clients collect consumers’ personal information, you’ll want to read the pleadings for a detailed explanation of what the FTC says Uber did (and didn’t do) that rendered the company’s privacy and security claims deceptive. But the main takeaway from the complaint allegations boils down to a unsurprising principle. Consumers expect all businesses – from brick-and-mortar Mom-and-Pops to innovative tech giants – to live up to their privacy and security promises whether they store consumers’ personal information on their own systems or in third-party cloud services. There are no exceptions.
Read Start with Security for the fundamentals and follow our ongoing Stick with Security blog series for a deeper dive.