Last year, Uber settled with the FTC over allegations that it hadn't protected it's customers' data in 2014, and actually misrepresented how secure that data was. Soon after that, the now-current CEO of the ride-sharing firm found that his company had hidden evidence of an separate extortion-based attack that exposed "25 million names and email addresses, 22 million names and mobile phone numbers, and 600,000 names and driver's license numbers of US Uber drivers and riders," according to the FTC.
The CEO at the time, Travis Kalanick, paid hackers $100,000 to hide the attack for more than a year. Because of that secondary breach and Uber's misconduct around it, the FTC has revised its original settlement for a 2014 incident to include a few more provisions, including civil penalties should the company fail to notify the FTC in the event of future breaches.
"My first week at Uber was the week we disclosed the 2016 breach," Uber's Chief Legal Officer Tony West told Engadget. "When Dara Khosrowshahi joined the company, he committed on behalf of every Uber employee that we would learn from our mistakes, change the way we did business and put integrity at the core of every decision we made. Since then we have moved quickly to do just that by taking responsibility for what happened. I am pleased that just a few months after announcing this incident, we have reached a speedy resolution with the FTC that holds Uber accountable for the mistakes of the past by imposing new requirements that reasonably fit the facts."