BreachExchange mailing list archives
Uber Rider or Driver? You Were Subject to Deceptive Privacy Claims, Says FTC
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 17 Aug 2017 17:17:30 -0600
https://www.inc.com/erik-sherman/new-ftc-uber-settlement-is-another-reason- travis-k.html Ride with Uber? Drive with them? Your data may not have been secure or private, according to a settlement today with the Federal Trade Commission complaint over deceptive claims as announced in an agency conference call today. It's another fiasco from when co-founder Travis Kalanick ran the company -- and just one more reason why he should not regain control. Although the company faces no financial penalty because there was no financial loss to consumers, Uber agreed to have its data security and privacy mechanisms audited every two years by a third party. The settlement today stems from 2014 news reports that Uber employees had broad access to private data of consumers using the service. At the time, Uber responded with a strong statement about its strict privacy policy. But, according to the FTC complaint, there were stretches of many months where monitoring mechanisms and alerts were ignored. The data included geolocation information -- pickup and destination points available from its so-called "God View" tracking tool -- that can be paired with other information for a prying look into someone's activities. In addition, in May 2014, a massive data breach of Uber's accounts on Amazon's cloud service -- made possible when an engineer posted an access key providing "full administrative privileges" -- affected 100,000 people registered as Uber drivers. Data taken included names and driver's license numbers as well as unencrypted information for 215 bank accounts and 84 unencrypted Social Security numbers. Unencrypted storage of private data is the sort of action that makes experienced software engineers and security experts roll their eyes in disbelief. It's like living in a city and leaving your front door unlocked all the time. Acting FTC chairman Maureen Ohlhausen made clear that, when it comes to privacy, "companies will be held accountable for their promises," whether fast-growing startups or large established businesses. She also noted that the FTC does not comment on ongoing investigations, so Uber could potentially be facing future actions on other issues. This isn't the first time that Uber has come under fire from the FTC. In January 2017, Uber agreed to pay $20 million to settle charges that it made exaggerated earnings claims to recruit more drivers. It's another brick in the foundation of Uber's troubled existence. Others include charges of using software to evade law enforcement sting operations, a culture that enabled sexual harassment and other problems, and even running billions in the red each year when a path to ultimate profitability, short of seeing all competitors disappear and then raising prices, is unclear.
_______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Uber Rider or Driver? You Were Subject to Deceptive Privacy Claims, Says FTC Audrey McNeil (Aug 18)