The settlement stems from the May 2014 data breach which allowed an intruder to compromised more than 100,000 names and driver's license numbers that Uber stored in a datastore operated by Amazon Web Services, according to an Aug. 8, FTC press release.
The agency said Uber failed to take low-cost safety measures that could have prevented the breach such as require engineers and programmers to use distinct access keys to access personal information stored in the cloud, or use multi-factor authentication for accessing the data.
Uber also stored sensitive consumer information in plain readable text in database back-ups stored in the cloud, including geolocation information, the release said.
The agreement prohibits Uber from misrepresenting how it monitors internal access to consumers' personal information and from misrepresenting how it protects and secures that data.
Uber will also be required to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services and protects the privacy and confidentiality of personal information collected by the company; and to obtain frequent independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.
"Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees' access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data," Maureen Ohlhausen, acting chairman of the FTC, said in a statement. "This case shows that, even if you're a fast growing company, you can't leave consumers behind: you must honor your privacy and security promises."
It's critical for senior executives and boards to put the building of trust at the top of the priorities list in the age of digital business and increasing cyber risk, Malcolm Harkins, chief security and trust officer at Cylance, told SC Media.
“While I respect the work of Uber's more recent executive hires, this settlement may be an indication of things that were lacking to deliver that trust earlier in Uber's history,” Harkins said. “Not only for security, but for privacy, all organizations should have a set of principles in place to guide the placement of the anchor points for security and privacy to deliver trust.”
Harkins added that it's equally important for the right governance model to oversee the evolution of trust throughout the company