Uber previously settled with the FTC over allegations that it didn't protect it's custoners' data back in 2014. Now only that, Uber was accused of misrepresenting how secure the data was.
Not long after that, current CEO of Uber found that the company had hidden evidence of a separate extortion-based attack that exposed “25 million names and email addresses, 22 million names and mobile phone numbers, and 600,000 names and driver's license numbers of US Uber drivers and riders,” according to the FTC.
Due to the misconduct around the secondary breach, FTC revised its original settlement of a 2014 incident to include additional provisions, including civil penalties, should Uber fail to notify the FTC of any future breaches.
“My first week at Uber was the week we disclosed the 2016 breach,” Uber's Chief Legal Officer Tony West told Engadget. “When Dara Khosrowshahi joined the company, he committed on behalf of every Uber employee that we would learn from our mistakes, change the way we did business and put integrity at the core of every decision we made. Since then we have moved quickly to do just that by taking responsibility for what happened. I am pleased that just a few months after announcing this incident, we have reached a speedy resolution with the FTC that holds Uber accountable for the mistakes of the past by imposing new requirements that reasonably fit the facts.”
In the terms of the new complaint, Uber has to submit all of the report from the company's third-party audits of its privacy program, and not only the first report. Additionally, the company must retain all records related to bug bounty reports.
“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company's strikingly similar 2014 breach,” said Acting FTC Chairman Maureen K. Ohlhausen in a statement. “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.”
The revised agreement set forth by the FTC will go through a 30-day public comment period that will end on May 14th. That's when the Commission will decide if it wants to make the proposal final.