Uber submits to privacy audits for 20 years

Ride-hailing firm agrees to measures to settle FTC privacy complaints

Uber is to face 20 years of privacy audits after settling Federal Trade Commission (FTC) complaints that it deceived customers and didn't protect their personal data securely enough.

The ride-hailing firm has agreed to roll out a privacy programme that tackles any privacy risks to Uber's services, and protects people's personal information, as well as subjecting itself to a third-party audit every two years for the next 20 years.

It comes after alleged privacy breaches dating back to 2014 that led the FTC to file two complaints with the company.

"Uber failed consumers in two key ways: first by misrepresenting the extent to which it monitored its employees' access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data," said the FTC's acting chairman, Maureen Ohlhausen.

The FTC claims Uber allowed its employees to access personal customer and driver records after it decided to stop using a self-developed solution that monitored employee access to its customers' data. The monitoring platform was only in operation for less than a year and after it terminated the use, it didn't introduce any other process to monitor access.

Although at the time, Uber said its data was securely stored in its database, it has since transpired this wasn't the case and it actually failed to provide any kind of system that prevented unauthorised access to customers' confidential information.

Responding to media reports that Uber employees were improperly accessing customer data, Uber issued a statement in November 2014 saying a "strict policy" forbade such access to customer and driver information except for certain business purposes, and that their access would be closely monitored.

The following month it developed an automated system to monitor employee access to customer data, but the FTC claimed it stopped using this system less than a year later, and rarely monitored access for nine months afterwards.

Meanwhile, the FTC also claimed that while Uber said people's data was "securely stored within our databases", its security measures did not prevent unauthorised access to databases stored in Amazon Web Services' cloud. That allegedly enabled an intruder to steal 100,000 names and driver's license numbers from Uber's database in May 2014.

"This case shows that, even if you're a fast growing company, you can't leave consumers behind: you must honour your privacy and security promises," Ohlhausen said.

Featured Resources

2021 Thales cloud security study

The challenges of cloud data protection and access management in a hybrid and multi cloud world

Free download

IDC agility assessment

The competitive advantage in adaptability

Free Download

Digital transformation insights from CIOs for CIOs

Transformation pilotes, co-pilots, and engineers

Free download

What ITDMs did next - and what they should be doing now

Enable continued collaboration and communication for hybrid workers

Recommended

Uber ordered to reinstate drivers fired by its algorithm
artificial intelligence (AI)

Uber ordered to reinstate drivers fired by its algorithm

15 Apr 2021
Uber to offer electric vehicles to London customers
Technology

Uber to offer electric vehicles to London customers

29 Mar 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021