Uber has cut a deal with the US Federal Trade Commission (FTC) to settle charges that it failed to secure users’ personal data and made false claims about its security practices.
An agreement, published by the FTC on August 15, would see the global ride-sharing giant escape a fine if it agrees to independent audits of its data security every two years for two decades.
Similar complaints in Europe, once the EU’s General Data Protection Regulation (GDPR) comes into force next May, could result in a fine of up to 4% of global turnover for each breach.
Uber reported global revenue of $6.5 billion in 2016, suggesting a potential fine per breach of $260 million.
The company has agreed to introduce “a comprehensive privacy programme” and to the “regular, independent audits” to settle charges that it “deceived consumers by failing to monitor employee access to personal information and failing to reasonably secure sensitive consumer data”.
The San Francisco-based firm claim it closely monitored employee access to consumer and driver data and deployed “reasonable measures” to secure personal information stored on third-party servers.
But the FTC found: “Uber failed consumers in two key ways: first by misrepresenting the extent to which it monitored its employees’ access to personal information, and second by misrepresenting that it took reasonable steps to secure that data.”
The FTC stepped in after reports that Uber employees were accessing consumer data.
Uber issued a statement in November 2014 claiming it had a “strict policy prohibiting” employees from accessing data and that employee access would be closely monitored.
In fact, Uber stopped using an automated system for monitoring employee access to consumer data and “rarely monitored internal access to personal information about users”.
The company also claimed data was “securely stored”. But the FTC found Uber failed to prevent unauthorised access to consumers’ personal information in databases operated by Amazon Web Services.
For example, “a single key gave full administrative access to all the data” and Uber “did not require multi-factor authentication for accessing the data.
“In addition, Uber stored sensitive consumer information in plain readable text.”
Uber’s agreement with the FTC prohibits the company from “misrepresenting how it monitors access to personal information [or] how it protects and secures that data”.
However, it allows Uber to state that it has neither admitted nor denied the charges.
The FTC order is subject to public consultation until September 15, when the Commission will decide whether to make it final.
Violation of an FTC order is subject to a fine of up to $40,654 per breach.