Latest in Gear

Image credit:

Uber agrees to expanded settlement with FTC over 2016 data breach

The ride sharing company must disclose further breaches or suffer civil penalties.
Rob LeFebvre, @roblef
April 12, 2018
Share
Tweet
Share

Sponsored Links

AFP/Getty Images

Last year, Uber settled with the FTC over allegations that it hadn't protected it's customers' data in 2014, and actually misrepresented how secure that data was. Soon after that, the now-current CEO of the ride-sharing firm found that his company had hidden evidence of an separate extortion-based attack that exposed "25 million names and email addresses, 22 million names and mobile phone numbers, and 600,000 names and driver's license numbers of US Uber drivers and riders," according to the FTC.

The CEO at the time, Travis Kalanick, paid hackers $100,000 to hide the attack for more than a year. Because of that secondary breach and Uber's misconduct around it, the FTC has revised its original settlement for a 2014 incident to include a few more provisions, including civil penalties should the company fail to notify the FTC in the event of future breaches.

"My first week at Uber was the week we disclosed the 2016 breach," Uber's Chief Legal Officer Tony West told Engadget. "When Dara Khosrowshahi joined the company, he committed on behalf of every Uber employee that we would learn from our mistakes, change the way we did business and put integrity at the core of every decision we made. Since then we have moved quickly to do just that by taking responsibility for what happened. I am pleased that just a few months after announcing this incident, we have reached a speedy resolution with the FTC that holds Uber accountable for the mistakes of the past by imposing new requirements that reasonably fit the facts."

Under the terms of the new complaint, Uber must also submit all the reports from the company's third-party audits of its privacy program, not only the first report. Uber must also retain records related to bug bounty reports like the one that uncovered the second breach.

"After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company's strikingly similar 2014 breach," said Acting FTC Chairman Maureen K. Ohlhausen in a statement. "The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future."

The new revised agreement will go through a 30-day public comment period to end on May 14th, when the Commission will decide whether to make the proposal final.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

You’ll need more than $299 to truly enjoy next-gen gaming

You’ll need more than $299 to truly enjoy next-gen gaming

View
MasterClass is offering college students a year of courses for $1

MasterClass is offering college students a year of courses for $1

View
Confused about which console to buy? Just wait.

Confused about which console to buy? Just wait.

View
Apple's latest iOS 14.2 beta adds a built-in control for Shazam

Apple's latest iOS 14.2 beta adds a built-in control for Shazam

View
Apple iPad (2020) hands-on: A better kind of basic

Apple iPad (2020) hands-on: A better kind of basic

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr