Uber has agreed to implement a “comprehensive privacy program” as part of a settlement with the Federal Trade Commission, which alleged that the ride-hailing company stored data in an unsecured cloud service and didn’t monitor how often its employees looked at user data.
The FTC’s complaint stems from activity at Uber in 2014, when employees allegedly had free reign to access customer data. According to former Uber employees who spoke to Reveal News last year, their co-workers used this access to look up information about their exes and celebrities, including Beyoncé.
Uber implemented a new system to monitor employee access to user data in December 2014, according to the FTC. But the system was active for less than a year, and for nine months after it was discontinued, employees once again had unfettered access to data.
The FTC also claims that Uber failed to live up to its promises to keep driver data secure. In May 2014, the names and license plate numbers of 50,000 Uber drivers were exposed in a data breach.
“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,” FTC Acting Chairman Maureen Ohlhausen said in a statement. “This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”
Uber’s security team has grown considerably since the 2014 allegations. Following the breach, Uber hired its first chief security officer and the company says it now employs “hundreds of trained professionals dedicated to protecting user information.” The company recently rolled out an internal differential privacy tool that will let its engineers work with customer data without accessing sensitive personal information.
“We are pleased to bring the FTC’s investigation to a close. The complaint involved practices that date as far back as 2014. We’ve significantly strengthened our privacy and data security practices since then and will continue to invest heavily in these programs,” an Uber spokesperson told Gizmodo. “This settlement provides an opportunity to work with the FTC to further verify that our programs protect user privacy and personal information.”
A FTC spokesperson told Gizmodo that Uber won’t pay anything to settle the case, an arrangement that’s typical for companies being hit with their first FTC complaint. Instead, the company will submit to external audits of its privacy controls every two years for the next 20 years. Uber is also prohibited from misrepresenting its privacy practices to consumers. If it violates the settlement, Uber may face fines of up to $40,654 per violation.