Uber has agreed to settle accusations by America's top consumer protection agency that the ride-hailing company failed to protect consumers' sensitive data, a misstep that allegedly allowed employees to access customer and driver information and led to a significant data breach in 2014 that exposed thousands of drivers' names and license numbers.
The settlement with the Federal Trade Commission reflects Uber's latest attempt to move past its troubled history and recent crises, which have been marked by the departure of top executives, including chief executive Travis Kalanick, as well as a probe into its toxic workplace culture.
One source of the FTC's concern was an Uber program known as “God View,” which allowed company employees to monitor the real-time locations of customers who had requested a ride on the service. The existence of God View caused an uproar in 2014, and Uber soon released a privacy statement that said it maintained a “strict policy” that prevented employees from inappropriately spying on customers.
But the FTC, in its complaint, said that Uber misled the public about its efforts to stop any snooping. Despite building an “automated system” to police employees' access to God View, Uber abandoned the tool after less than a year and “rarely monitored” how employees were subsequently using God View, according to the FTC. The agency's investigation began shortly after news reports emerged about God View but does not cover later privacy-related revelations about tools such as Greyball, which Uber has used in some cases to track and circumvent regulators.
The FTC also said that Uber failed to implement basic security practices, such as two-factor authentication, that could have kept Uber's driver data from leaking. Customer information, including location data, was also stored online in an unencrypted format, according to the agency, a state that can make the information easier for hackers to misuse.
“Companies will be held accountable for their promises,” said Maureen Ohlhausen, acting chairwoman of the FTC. “This is the only way we can foster true competition on privacy practices in the marketplace.”
The settlement will force Uber to “take privacy into account every day,” Ohlhausen added.
The FTC is not requiring Uber to pay to settle the allegations, the agency said, although Uber will be hiring an outside firm to monitor its privacy practices, and future violations of the settlement agreement could lead to financial penalties.
Uber did not immediately respond to a request for comment.