Ride-hailing service Uber has agreed to protect data and audit use of rider information to settle a complaint from the federal government that it deceived customers.
The Federal Trade Commission, in a complaint settled on Tuesday, alleged that Uber failed to secure data about rider trips and neglected to monitor employee access to the information. It's another in a long string of missteps for the San Francisco-based company, which faces a separate federal investigation for allegedly using a phony app to block city inspectors from monitoring its service.
Uber misrepresented how well it monitored employee access to personal information about users and drivers, and it misstated that it took steps to secure customer data, FTC Acting Chairman Maureen Ohlhausen said in a statement. "This case shows that even if you're a fast-growing company, you can't leave consumers behind: You must honor your privacy and security promises," she said.
Uber said the allegations date to 2014, and before the government complaint, it had already put safeguards in place to protect data. Since then, it has strengthened privacy and data security and will keep investing in security programs, the company said.
But the FTC alleged in its complaint that after news reports of Uber employees improperly accessing customer data, the company issued a statement in November of 2014 that it had a strict policy prohibiting employees from viewing the data except for legitimate business purposes. The company also said employee access would be closely monitored.
But Uber stopped using a monitoring system less than a year later and for nine months, rarely monitored access to customer and driver information.
Also, Uber claimed that data was securely stored in its databases, but an intruder gained access to driver data in May of 2014, including 100,000 names and driver's license numbers, the complaint said.
"The FTC alleges that Uber did not take reasonable, low-cost measures that could have helped the company prevent the breach," the FTC statement said.
To settle the complaint, Uber agreed to stop misrepresenting how it monitors access to customer information and to stop misrepresenting how it secures the data, the FTC said. Uber Technologies Inc. also agreed to put a program in place to protect customer privacy. It also must do an audit every two years for the next two decades to make sure the privacy program remains in place.
The FTC voted 2-0 to accept the agreement. The public will be able to comment for 30 days, after which a final decision will be made.
Uber said it hired its first chief security officer in 2015 and now has hundreds of employees who work to protect consumer information. "This settlement provides an opportunity to work with the FTC to further verify that our programs protect user privacy and personal information," a company statement said.
The settlement comes as the world's largest ride-hailing company tries to recover from a series of costly blunders this year that damaged its reputation and forced out combative CEO Travis Kalanick. Many riders deleted Uber's app after it tried to capitalize on a New York taxi driver strike in protest of government immigration policies. Then a female former Uber engineer published a blog detailing sexual harassment at the company. That led to Uber's hiring of two law firms to investigate, and the firings of 20 people including some managers. The company says it has increased the size of its human resources department and is working to change its culture.