The Federal Trade Commission will expand its oversight of Uber following the disclosure of its improper withholding of a 2016 security breach that exposed sensitive data for more than 25 million users.
The ride-hailing service was already bound to an agreement reached last year requiring it to undergo privacy audits every two years for the next two decades.
The 2017 agreement settled FTC charges that Uber misrepresented the level of access its employees had to user data and the steps it took to secure that data. Following reports in 2014 that Uber employees used an administrative tool internally dubbed God-view to monitor active Uber cars and customers—and sometimes observed specific users’ locations for amusement—Uber promised to use a newly created system to monitor and restrict employee access to such information. Last year’s FTC charges stemmed, in part, from Uber ending use of that system less than a year after it was put in place.
Failure to disclose new breach
Thursday’s expansion of that settlement, the FTC said, came after it learned Uber failed to disclose a 2016 breach that exposed 25 million names and email addresses, 22 million names and mobile phone numbers, and 600,000 names and driver’s license numbers of US Uber drivers and riders. The FTC said Uber learned of the breach in November 2016 but didn’t disclose it to consumers or the FTC for another 12 months. Uber also paid hackers who exploited the vulnerability $100,000 and claimed the payment was made through a bug-bounty program.
“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” acting FTC Chairman Maureen K. Ohlhausen said in a statement. “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.”
Under the expanded agreement, Uber is compelled to disclose certain types of incidents involving customer data and to submit to the FTC all the reports from the required third-party audits of Uber’s privacy program rather than only the initial one. Uber will further be required to retain records related to bug-bounty reports regarding vulnerabilities that involve potential or actual unauthorized access to consumer data.
In a statement issued Thursday, Uber Chief Legal Officer Tony West wrote:
My first week at Uber was the week we disclosed the 2016 breach. When [CEO] Dara Khosrowshahi joined the company, he committed on behalf of every Uber employee that we would learn from our mistakes, change the way we did business, and put integrity at the core of every decision we made. Since then we have moved quickly to do just that by taking responsibility for what happened. I am pleased that, just a few months after announcing this incident, we have reached a speedy resolution with the FTC that holds Uber accountable for the mistakes of the past by imposing new requirements that reasonably fit the facts.
The updated settlement comes amid last week’s bombshell revelations from Facebook that
“malicious actors” abused search tools on its platform that made it possible to collect identities and personal information for most of the site’s two billion users. The social network also failed to disclose the access Cambridge Analytica got to data belonging to more than 87 million users until the scandal was reported by and the .
Critics argue the exposures violate a 2011 agreement settling FTC charges that Facebook deceived users by telling them they could keep their Facebook information private and then repeatedly allowing it to be shared and made public. A former FTC official, according to , estimated the revelations may result in a fine of as much as $1 billion.