FTC: Uber failures led to 2014 hack exposing 100k drivers’ details

Uber has agreed to third-party privacy audits for 20 years as part of a settlement with the Federal Trade Commission (FTC) over its failure to protect driver and rider data stored in AWS. 

The FTC alleges Uber’s security shortcomings allowed an intruder in May 2014 to access personal details of over 100,000 drivers. Uber initially believed the hack affected just under 50,000 drivers, but discovered in May and June 2016 that a further 60,000 drivers’ details were exposed in the breach, according to the FTC’s complaint. 

Uber used Amazon’s Simple Storage Service (S3) to store rider and driver personal information, including names, email addresses, phone numbers, trip records, geolocation information, driver’s license numbers, and images of driver’s licenses.    

Though Uber claimed it was using the latest technology and that personal information was “encrypted to the highest standards available”, the FTC alleged it failed to implement even basic access controls at its disposal. 

Uber discovered the breach in September 2014, but according to the complaint, until March 2015 it was storing “sensitive personal information in the Amazon S3 Datastore in clear, readable text, including in database back-ups and database prune files, rather than encrypting the information.” 

It fixed other issues after the discovering the breach, including previously allowing engineers and programmers to use a single key to access data stored in Amazon S3 with full administrative rights; not restricting access to data based on job function; and not requiring multi-factor authentication to access the data.

The FTC also accused it of failing to implement reasonable security training and guidance and lacking a written information security program until September 2014.

“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,” said FTC Acting Chairman Maureen K. Ohlhausen. 

“This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”

The complaint is also critical of Uber’s claims following reports in November 2014 about a tool internally called “God View” that an executive had used to stalk a journalist behind a story that was critical of the company. The tool was allegedly widely available to corporate staff, allowing the user to see a Driver’s location and the rider’s pick up location. 

Uber publicly claimed it was closely monitoring employee access to consumer personal information and developed an automated monitoring system in December 2014, but the FTC says that between August 2015 and May 2016 it didn't act on the system's automated alerts in a timely fashion. The FTC alleges it only monitored for access to account information on Uber executives. 

The ride-hailing company paid a $20,000 fine to settle a God View complaint by lawmakers in January 2016 and agreed to delete personally identifiable information of riders in the tool.

Uber has agreed to an FTC order demanding a third-party privacy audits it once every two years for the next 20 years to certify it’s compliance with the order. The commission can fine Uber up to $40,654 for each violation of the order. 

Uber is also banned from misrepresenting internal access to consumer’s information, and from misrepresenting how it protects that data. 

Finally, it will be required to implement a comprehensive privacy program.