X
Tech

Uber, FTC agree to new settlement terms over data breach

Uber is now required to submit every audit report of its privacy program to the FTC, and faces civil penalties if it fails to disclose another breach.
Written by Natalie Gagliordi, Contributor
uberxdpd.jpg

Uber has agreed to comply with new settlement terms laid out by the US Federal Trade Commission pertaining to the ride-hailing company's 2017 data breach.

In October 2016, hackers stole names, email addresses, and phone numbers of 57 million Uber riders around the world, along with data on more than 7 million drivers, which included over 600,000 drivers' license records.

The breach was apparently caused after hackers compromised a private GitHub repository and harvested engineering credentials later used to access an Amazon Web Services (AWS) account and the information stored inside of it.

As if the breach wasn't problematic enough, it was later discovered that Uber paid the hackers $100,000 to delete the data, and then kept details of the breach quiet under the guise of the legitimate bug bounty program offered by Uber on the HackerOne bug bounty platform.

Uber took a lashing by the FTC, and was accused of purposely mislead consumers about its privacy practices. In its original FTC settlement, Uber agreed to disclose any future security incidents in a timely manner and submit to 20 years of periodic privacy audits.

Under the new terms, Uber is now required to submit every audit report of its privacy program to the FTC, as opposed to only submitting the initial audit report. The ride-hailing company must also retain certain records from its bug bounty programs regarding vulnerabilities and unauthorized access to consumer data.

Meanwhile, the revised settlement also threatens Uber with civil penalties if it fails to notify the FTC of future security breaches involving consumer information.

"After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company's strikingly similar 2014 breach," acting FTC chairman Maureen Ohlhausen said in a statement. "The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future."

PREVIOUS AND RELATED COVERAGE

Uber-Grab merger under investigation for possible violation of Singapore competition laws

Competition Commission of Singapore says it has "reasonable grounds" to suspect Grab's bid to acquire Uber's Southeast Asian business violates local market competition laws.

Pennsylvania attorney general sues Uber over delayed data breach notification

The state could seek as much as $13.5 million in penalties from the ride-hailing firm for its response to the 2016 breach.

Uber paid 20-year-old man to hide hack, destroy data

A hacker from Florida was allegedly paid $100,000 to keep his mouth shut and delete stolen user data.

Editorial standards