Colombia’s data protection authority, Superintendencia de Industria y Comercio, has ordered Uber to improve its technical and organizational security measures to protect the personal data of Colombian users. Uber must also obtain independent and third-party audits certifying it meets the requirements of the order within 120 days of the ruling and every year thereafter for the next five years.

In its investigation, the Colombia DPA found that the British, Dutch and French Data Protection Authorities, the Federal Trade Commission, California Attorney General Xavier Becerra and San Francisco District Attorney George Gascón alleged that, between October and November 2016, intruders accessed users’ personal data Uber stored in its third-party cloud provider’s servers (Amazon S3 Datastore) by using an access key an Uber engineer had posted on a code-sharing website. Intruders used the access key to download unencrypted files that contained personal data.

The regulators also alleged Uber did not have a policy prohibiting engineers from reusing credentials and did not require engineers to enable multi-factor authentication when accessing Uber’s GitHub repositories. The intruders accessed Uber’s GitHub page using passwords that were previously exposed in other large data breaches, whereupon they discovered the access key in plain text.

The breach affected 57 million Uber users worldwide, including 267,000 users in Colombia. The users were not told about the breach for more than a year after discovery of the breach. Instead, Uber paid the intruders responsible $100,000, through its third-party “bug bounty” program, to destroy all personal data they had downloaded.

Uber’s bug bounty program was created to provide financial rewards to parties who responsibly disclose security vulnerabilities rather than those who maliciously exploit vulnerabilities to access users’ personal information. 

The Colombia DPA also found Uber failed to implement reasonable access controls to protect the personal data of Colombian users stored in the Amazon S3 Datastore and failed to notify users of another data breach occurred in Uber’s Amazon S3 Datastore during May 2014, according to an FTC complaint.

Colombian Law 1581 of 2012 provides that companies are responsible for users’ personal data in its custody or possession and to implement policies and practices to give effect to the protections afforded under Colombian data protection principles. In the DPA’s view, Uber did not take real responsibility for the vast amounts of user personal data within its control, in that it did not implement sufficient practices and procedures to give effect to the principles set forth in Law 1581 of 2012.

The decision also requires that Uber:

• Develop, implement and maintain a comprehensive security program designed to address security risks that could result in unauthorized access to the personal data of its users, and to protect the security, confidentiality and integrity of personal data that is stored, captured, accessed or transmitted by the organization. The content and implementation of the program must be documented in writing, must contain controls and procedures appropriate, but not limited to, Uber’s size and complexity, the nature and scope of Uber’s activities and the business changes or new products or services. Additionally, the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of data subjects that are presented by processing should also be included.
• Develop, implement, and thereafter maintain a data breach program, which includes notifying any personal data breach to the authority, without undue delay, and communicate it to affected data subjects.
• Monitor compliance on an ongoing basis.
• Provide employee and contractor training to ensure ongoing capabilities to carry out the security measures established in its policies.

Uber still has time to appeal the decision.

Photo by Kobby Mendez on Unsplash