The Federal Trade Commission is tightening its claws around Uber after the ride-hailing company failed to disclose a security breach for nearly a year and paid the hacker $100,000 to keep the incident under wraps. This all happened during a time when the company was already under the FTC investigation for an earlier breach.
After reports of Uber employees tracking celebrities and users for fun, revelations of the "God View" program that enabled employees to view drivers and users, and a "Hell" program to target Lyft drivers, the FTC had demanded the company to go through privacy audits every two years for the next 20 years. The agreement reached between the Commission and Uber also required Uber to implement a privacy program that protected user information.
However, the company failed to inform users in a second hack that affected over 25 million Americans (out of 57 million total affected users and drivers). It also failed to alert the Commission of the breach while it was already going through an investigation. The agency is now expanding its settlement, adding provisions to further ensure the company doesn't keep violating user privacy and security.
FTC revises its agreement with Uber, includes more provisions
FTC has issued a revised complaint (PDF) this week, revealing that an Uber engineer had posted an access key on a code-sharing website that was then used by hackers to access consumer data in November 2016. This data wasn't even encrypted giving hackers complete access to over 25 million names and email addresses, 22 million names and mobile phone numbers, and 600,000 names and driver’s license numbers of US individuals. [Over 57 million users were affected in total]
"After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company's strikingly similar 2014 breach," FTC Chairman Maureen Ohlhausen said in a statement. "The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future."
The ride-hailing company will now be required to disclose breaches and retain records of its bug bounty reports that may involve vulnerabilities affecting potential unauthorized access to user data. The company will also have to provide FTC with all reports from the audits. Uber was previously required to only send the initial third-party audit reports.
Uber in its response continues to say the same thing - we are a different company after Travis Kalanick. "My first week at Uber was the week we disclosed the 2016 breach. When Dara Khosrowshahi joined the company, he committed on behalf of every Uber employee that we would learn from our mistakes, change the way we did business, and put integrity at the core of every decision we made," Uber's Chief Legal Officer Tony West said.
"Since then we have moved quickly to do just that by taking responsibility for what happened. I am pleased that, just a few months after announcing this incident, we have reached a speedy resolution with the FTC that holds Uber accountable for the mistakes of the past by imposing new requirements that reasonably fit the facts."
Looking at Uber's settlement, it will be interesting to see how FTC responds to Facebook's data misuse scandal that affected up to 71 million Americans. The social networking giant had also failed to notify the agency or users in 2015 when it first learned of the incident.