Monday, April 23, 2018

"FTC Puts Uber on a Short Leash for Security Breaches" (plus Didi encroaches)

Did Chuxing just started-up in Mexico.*
Uber has to feel as if the world is closing in on them.

From IEEE Spectrum:
For the next 20 years, the agency will review reports on Uber’s privacy and security practices
It’s not nice―or smart―to deceive the U.S. Federal Trade Commission, especially while you’re in negotiations with the agency over penalties it’s going to impose for previously being dishonest.
Last August, the ride-hailing company Uber entered into a consent agreement with the FTC regarding its supposedly “securely stored” and “closely monitored” (pdf) customer and driver information. Uber bragged that it was using “the most up-to-date technology and services to ensure that none of these are compromised,” and promised that information was “encrypted to the highest security standards available.”
Alas, the FTC found these claims were more chimera than reality. As a consequence of its lackadaisical security practices, Uber experienced a data breach in May 2014 that allowed attackers to access the names and driver’s licenses of 100,000 Uber drivers, along with many of the drivers’ bank accounts and Social Security numbers.
In that consent agreement, Uber agreed to stop misrepresenting the quality of its security and privacy practices; put a comprehensive privacy program into place, and; get independent third-party risk assessments of its privacy program every two years for the next 20 years. The first assessment report would be sent to the FTC, while the rest would be retained by Uber, which promised to act on any recommendations made in the reports.
Then, in November 2017, Uber admitted there had been another data breach about one year earlier. This time, hackers accessed some 25.6 million names and email addresses, 22.1 million names and mobile phone numbers, and 607,000 names and driver’s license numbers of U.S. Uber drivers and customers. Furthermore, Uber confessed that it had paid $100,000 in ransomware disguised as a “bug bounty” to intruders to delete the data and keep the breach out of the public eye....MORE
*Here's the Didi story via VentureBeat:
China’s Didi launches ride-hailing service in Mexico, one of Uber’s biggest strongholds