Uber agrees to a new settlement with the Federal Trade Commission over the massive 2016 data breach.
“Uber Technologies, Inc. has agreed to expand the proposed settlement it reached with the Federal Trade Commission last year over charges that the ride-sharing company deceived consumers about its privacy and data security practices.” states the FTC.
“Due to Uber’s misconduct related to the 2016 breach, Uber will be subject to additional requirements. Among other things, the revised settlement could subject Uber to civil penalties if it fails to notify the FTC of certain future incidents involving unauthorized access of consumer information.”
In November 2017, the Uber CEO Dara Khosrowshahi announced that hackers broke into the company database and accessed the personal data of 57 million of its users, the disconcerting revelation was that the company covered up the hack for more than a year.
The attackers accessed also the names and driver’s license numbers of roughly 600,000 of its drivers in the United States.
The hack happened in 2016, it was easy for hackers that according to a report published by Bloomberg, obtained credentials from a private GitHub site used by the company development team. The hackers tried to blackmail Uber and demanded $100,000 from the company in exchange for avoiding publish the stolen data.
Rather than to notify the data breach to customers and law enforcement as is required by California’s data security breach notification law, the chief of information security Joe Sullivan ordered to pay the ransom and to cover the story destroying any evidence. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed
In 2017 the FTC charged the company for deceiving customers with its privacy and data security practices.
The first settlement dated back August 2017, according to the FTC, the company failed to apply security measures to protect customers and drivers data, later while investigating the settlement, the Commission discovered that the company did not disclose the 2016 data breach before 2017.
According to the new settlement with the Federal Trade Commission, Uber is obliged to disclose any future breach affecting consumer data and share reports from required third-party audits of its privacy program.
The company must maintain records related to bug bounty activities, the authorities could assign civil penalties against the company in case it will fail to implement the above actions.
“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” said Acting FTC Chairman Maureen K. Ohlhausen. “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.”
(Security Affairs – FTC settlement, Uber data breach)