Taxi giant Uber escapes major fines despite major data security failures for both customers and employees.
The US Federal Trade Commission has ordered the international taxi service, Uber, to introduce stricter measures in relation to the protection and privacy of customers and driver’s details when stored in the cloud and on internal systems. Uber accepted the charges, agreeing to implement tighter controls, which will be inspected by an independent auditor every two years for the next 20 years. Failure to comply, and Uber will incur fines.
The reason for such an extensive punishment is due to the negligence shown to the personal data of both customers and drivers, which the taxi app could harvest for fun.
The FTC began investigating Uber after it was discovered that the company was using the software program God View, which enables the user to monitor real-time locations of customers and drivers.
After this enquiry, Uber developed an automated system to monitor employee access to customer and driver personal data, and this was in use for a reported 8 months. It has been stated that Uber workers were snooping through customer records that even included pop sensation Beyoncé.
In addition, the FTC also found Uber to be incompetent when it came to the security of the personal information that was stored on its systems, despite the taxi business refuting the claims.
Punishment for negligence towards personal data should be severe, and with Uber operating in Europe, they should be very mindful of the looming General Data Protection Regulation which comes into force in May 2018. Failure to secure the personal sensitive data of its employees and customers will lead to heavy fines and damage to reputation, which could result in potential bankruptcy.
If encryption was used within Uber’s system, the data would be unusable to all those without access. With the data controller at the organization in control of the encryption keys, the data would be secure both internally and externally.
Organizations should use the Uber case as a catalyst to take notice of how data is being accessed and protected. Is it being protected to the best of its abilities? If not, implement the necessary security systems as data security should never be an afterthought!
If you are looking for advice when it comes to data security in the cloud, then click here.