FTC: Uber Failed To Protect 100K Drivers In 2014 Hack

The Federal Trade Commission (FTC) has ordered Uber to up its security game after finding the company lacking in numerous areas. In its complaint against the firm, it also revealed that a data theft from 2014 was twice as big as first reported, with details of 100,000 drivers leaked to an unknown "intruder." Previous reports had put the number affected at 50,000, Forbes (https://www.forbes.com/sites/thomasbrewster/2017/08/15/uber-settles-ftc-complaint-over-secuirty-and-privacy/#43ac02da88da) writes.

That leak was possible because the hacker was able to view driver data on an Amazon Web Services store in plain text, according to the FTC. An access key to get that information had been publicly posted by an Uber engineer to code sharing website GitHub, the FTC wrote in its complaint. That key "granted full administrative privileges to all data and documents" on the Amazon server.

 

"The intruder accessed one file that contained sensitive personal information belonging to Uber drivers, including over 100,000 unencrypted names and driver's license numbers, 215 unencrypted names and bank account and domestic routing numbers, and 84 unencrypted names and social security numbers," the FTC complaint added. The leak also included physical addresses, email addresses, cellphone numbers, device IDs and location information from trips Uber drivers had taken.

The FTC said Uber had also failed to properly monitor employee access to consumers' personal data. Uber responded to 2014 criticism its employees were able to view passenger data, including a God View map that gave deep insight into where customers were going and what they were doing, by producing an automated monitoring system around access to personal information. But the FTC said the company stopped using it less than a year after and that for more than nine months, Uber "rarely monitored internal access to personal information about users and drivers."

Though Uber hasn't been hit with any fines, as part of a settlement it has been told that for 20 years it has to go through an independent, third-party audit for its privacy program, ensuring it's up to the FTC's standards. That'll have to take place every two years. Uber previously had to cough up $20 million to the FTC for exaggerating earnings claims to attract new drivers.

An Uber spokesperson sent the following statement to Forbes: "We've significantly strengthened our privacy and data security practices since then and will continue to invest heavily in these programs. In 2015, we hired our first chief security officer and now employ hundreds of trained professionals dedicated to protecting user information. This settlement provides an opportunity to work with the FTC to further verify that our programs protect user privacy and personal information.”

l.12-.057c.834-.407 1.663-.812 2.53-1.211a42.414 42.414 0 0 1 3.345-1.374c2.478-.867 5.078-1.427 7.788-1.427 2.715 0 5.318.56 7.786 1.427z" transform="translate(-128 -243)"/>