On May 12, 2014, an intruder was able to access sensitive personal information belonging to over 100,000 Uber drivers including names, driver license numbers, social security numbers, and bank account information. Uber did not detect this major breach until September 2014 and failed to notify Uber users until February 2015.
- Implement Two factor authentication for internal access to personal information
Prior to the complaint, Uber stored all of its data in an Amazon S3 Datastore, a scalable cloud storage device that could be used to store and retrieve large amounts of data. The S3 Datastore preserves information in “buckets,” small virtual containers in which individual access controls can be applied. However, Uber used a single access key (or password) that provided full administrative access to all data which made it significantly easier to hack. Using a two factor authentication for internal access helps control who can access certain types of information as well as making it more difficult for an intruder to access confidential data.
- Closely monitor and audit employee access to consumer data
Similarly, FTC’s complaint against Uber noted all Uber employees could access all of consumer (through the single access key), regardless of their job functions. This left Uber more open to potential data breaches. Limiting employee access to data based on job functions and requirement to access such data greatly improves security.
- Encrypt Personal Information
In the complaint against Uber, as well as in the FTC’s settlement, one of the biggest critiques was that Uber stored all of the personal data in the S3 buckets in plain language, meaning that once a potential intruder got into the data storage the sensitive information of Uber riders and drivers was readily available to them. One of the easiest fixes is for Uber and other companies storing sensitive data to begin encrypting any personal information they receive when they place it in data storage, adding another layer of security protecting their customers.
- Implement and update internal privacy and security programs
Similarly, in the months prior to the decision against Uber, the company continually misrepresented the scope of its privacy practices trying to assure its customers that their data was safe. Since Uber did not enforce the privacy standards it claimed to, this meant that a large part of the FTC’s settlement focused on evaluation and recordkeeping. Corporations should align their statements with their actual privacy practices in order to both protect the privacy of their customers and remain compliant with the FTC.