Uber Enters FTC Consent Decree Over Failure to Protect Consumer Data

In 2014, press reports revealed that Uber employees improperly accessed riders’ personal information using an internal company tool called the “God View.”  To respond to the controversy, Uber posted this statement on its site:


Uber has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data. The only exception to this policy is for a limited set of legitimate business purposes. Our policy has been communicated to all employees and contractors . . . .

The policy is also clear that access to rider and driver accounts is being closely monitored and audited by data security specialists on an ongoing basis, and any violations of the policy will result in disciplinary action, including the possibility of termination and legal action.

The only problem was they did not back it up.  As the FTC explained in a blog post:

The system Uber implemented in December 2014 wasn’t designed or staffed to effectively monitor the data that Uber workers were accessing, so the company abandoned it. From August 2015 until May 2016, Uber didn’t follow up in a timely fashion on alerts concerning the possible misuse of consumers’ personal information. For a particular six-month period, Uber only monitored access to the account information of a select group. Who? Certain high-profile users, including Uber executives.

The FTC also faulted Uber for failing to take reasonable, low-cost measures that could have helped the company prevent the breach.

For example, Uber did not require engineers and programmers to use distinct access keys to access personal information stored in the cloud. Instead, Uber allowed them to use a single key that gave them full administrative access to all the data, and did not require multi-factor authentication for accessing the data. In addition, Uber stored sensitive consumer information, including geolocation information, in plain readable text in database back-ups stored in the cloud.

In May 2014, an intruder used an access key an Uber engineer had publicly posted on a code-sharing site to access the names and driver’s license numbers of 100,000 Uber drivers, as well as some bank account information and Social Security numbers.   Uber did not discover the breach for almost four months.

This week, the FTC announced it had entered a consent decree with Uber.  Under its consent decree, Uber is:

  • prohibited from misrepresenting how it monitors internal access to consumers’ personal information;
  • prohibited from misrepresenting how it protects and secures that data;
  • required to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services and protects the privacy and confidentiality of personal information collected by the company; and
  • required to obtain within 180 days, and every two years after that for the next 20 years, independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.