Uber agrees to expanded settlement with FTC over 2016 data breach

The ride sharing company must disclose further breaches or suffer civil penalties.

Sponsored Links

Rob LeFebvre
April 12, 2018 2:13 PM
AFP/Getty Images
AFP/Getty Images

Last year, Uber settled with the FTC over allegations that it hadn't protected it's customers' data in 2014, and actually misrepresented how secure that data was. Soon after that, the now-current CEO of the ride-sharing firm found that his company had hidden evidence of an separate extortion-based attack that exposed "25 million names and email addresses, 22 million names and mobile phone numbers, and 600,000 names and driver's license numbers of US Uber drivers and riders," according to the FTC.

The CEO at the time, Travis Kalanick, paid hackers $100,000 to hide the attack for more than a year. Because of that secondary breach and Uber's misconduct around it, the FTC has revised its original settlement for a 2014 incident to include a few more provisions, including civil penalties should the company fail to notify the FTC in the event of future breaches.

"My first week at Uber was the week we disclosed the 2016 breach," Uber's Chief Legal Officer Tony West told Engadget. "When Dara Khosrowshahi joined the company, he committed on behalf of every Uber employee that we would learn from our mistakes, change the way we did business and put integrity at the core of every decision we made. Since then we have moved quickly to do just that by taking responsibility for what happened. I am pleased that just a few months after announcing this incident, we have reached a speedy resolution with the FTC that holds Uber accountable for the mistakes of the past by imposing new requirements that reasonably fit the facts."

Under the terms of the new complaint, Uber must also submit all the reports from the company's third-party audits of its privacy program, not only the first report. Uber must also retain records related to bug bounty reports like the one that uncovered the second breach.

Turn on browser notifications to receive breaking news alerts from Engadget
You can disable notifications at any time in your settings menu.
Not now

"After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company's strikingly similar 2014 breach," said Acting FTC Chairman Maureen K. Ohlhausen in a statement. "The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future."

The new revised agreement will go through a 30-day public comment period to end on May 14th, when the Commission will decide whether to make the proposal final.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission. All prices are correct at the time of publishing.
View All Comments
Uber agrees to expanded settlement with FTC over 2016 data breach