Advertisement

Uber agrees to expanded settlement with FTC over 2016 data breach

The ride sharing company must disclose further breaches or suffer civil penalties.

Last year, Uber settled with the FTC over allegations that it hadn't protected it's customers' data in 2014, and actually misrepresented how secure that data was. Soon after that, the now-current CEO of the ride-sharing firm found that his company had hidden evidence of an separate extortion-based attack that exposed "25 million names and email addresses, 22 million names and mobile phone numbers, and 600,000 names and driver's license numbers of US Uber drivers and riders," according to the FTC.

The CEO at the time, Travis Kalanick, paid hackers $100,000 to hide the attack for more than a year. Because of that secondary breach and Uber's misconduct around it, the FTC has revised its original settlement for a 2014 incident to include a few more provisions, including civil penalties should the company fail to notify the FTC in the event of future breaches.

"My first week at Uber was the week we disclosed the 2016 breach," Uber's Chief Legal Officer Tony West told Engadget. "When Dara Khosrowshahi joined the company, he committed on behalf of every Uber employee that we would learn from our mistakes, change the way we did business and put integrity at the core of every decision we made. Since then we have moved quickly to do just that by taking responsibility for what happened. I am pleased that just a few months after announcing this incident, we have reached a speedy resolution with the FTC that holds Uber accountable for the mistakes of the past by imposing new requirements that reasonably fit the facts."

Under the terms of the new complaint, Uber must also submit all the reports from the company's third-party audits of its privacy program, not only the first report. Uber must also retain records related to bug bounty reports like the one that uncovered the second breach.

"After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company's strikingly similar 2014 breach," said Acting FTC Chairman Maureen K. Ohlhausen in a statement. "The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future."

The new revised agreement will go through a 30-day public comment period to end on May 14th, when the Commission will decide whether to make the proposal final.