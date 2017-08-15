Uber has agreed to settle accusations by America’s top consumer protection agency that the ride-hailing company failed to protect consumers’ sensitive data, a misstep that allowed employees to access rider and driver information and led to a data breach in 2014 that exposed thousands of drivers’ names and license numbers.

The settlement with the Federal Trade Commission does not require Uber to pay to settle the allegations, the agency said, though the San Francisco company must hire an outside firm to do audits of its privacy practices, and future violations of the settlement agreement could lead to financial penalties.

This reflects Uber’s latest attempt to move past its troubled history and recent crises, which have been marked by the departures of top executives, Travis Kalanick’s resignation as CEO as well as an investigation into what some called a toxic workplace culture.

One source of the FTC’s concern was an Uber program known as “God View,” which enabled company employees to monitor the real-time locations of customers who had requested a ride on the service. The existence of God View caused an uproar in 2014, and Uber soon released a privacy statement that said it maintained a “strict policy” that prevented employees from inappropriately spying on customers.

But the FTC, in its complaint, said that Uber misled the public about its efforts to stop any snooping. Despite building an “automated system” to police employees’ access to God View, Uber abandoned the tool after less than a year and “rarely monitored” how employees were subsequently using God View, according to the FTC. The agency’s investigation began shortly after news reports emerged about God View, but it does not cover later privacy-related revelations about tools such as Greyball, which Uber has used in some cases to track and circumvent regulators.

The FTC also said Uber failed to implement basic security practices, such as two-factor authentication, that could have kept Uber’s driver data from leaking. Customer information, including location data, also was stored online in an unencrypted format, according to the agency — a state that can make the information easier for hackers to misuse.

The settlement will force Uber to “take privacy into account every day,” said Maureen Ohlhausen, the FTC’s acting chairwoman.

“Companies will be held accountable for their promises,” Ohlhausen said. “This is the only way we can foster true competition on privacy practices in the marketplace.”

Uber did not immediately respond to a request for comment.

Fung writes for the Washington Post.

ALSO

Justice Department wants data on anti-Trump protesters. An L.A. tech firm is resisting

Los Angeles plans to launch a cybersecurity threat-sharing group with city businesses

Google and GoDaddy boot neo-Nazi website that mocked the woman slain in Charlottesville