FTC expands Uber settlement following last year's breach revelations
Uber has agreed to expand upon its settlement with the Federal Trade Commission (FTC) regarding customer deception about its privacy and data security policies, according to an FTC announcement on Thursday. Each violation of an issued consent order from the FTC can result in a civil penalty up to $41,484. The ride-sharing company faced charges over how it monitored employee access to its users' personal data and for "failing to reasonably secure" data in a third-party cloud.
In November it was disclosed that Uber also tried to cover up a 2016 data breach that was "strikingly similar" to its 2014 breach, according to the announcement. If the FTC finds the company is "misleading" its customers about their privacy, it could result in additional requirements or civil penalties.
The original settlement was reached in August 2017 and entailed the Silicon Valley company agreeing to "implement a comprehensive privacy program" and conduct independent audits. The new revisions require Uber to submit such audits to the FTC.
Uber has faced a lot of scrutiny in recent years for the actions of its former CEO and complaints of sexual harassment, but the ride-sharing company also stood out for its decision to pay hackers $100,000 to mask the 2016 breach and delete the accessed data.
Uber reportedly learned of the breach in 2016, but the public was not notified until a year later. Hackers used an access key of an Uber engineer "posted on a code-sharing website," according to the FTC.
About 57 million users of the app and 600,000 drivers were left compromised. Names, driver's license numbers, email addresses and phone numbers were among the data hackers obtained.
Breaches highlight a company's shortcomings in cybersecurity and are usually a result of compromised authentication, outdated software or a lack of adequate talent on staff. But recent breaches — such as Delta and Sears — left companies scrambling after a vendor was hacked.
But Uber cannot blame the security of its third-party cloud provider. An employee within the company essentially handed hackers the tool to gain entry to its cloud storage and unencrypted files, a red flag on its own. The FTC views this as irresponsible negligence for consumer's privacy protection.
- Federal Trade Commission Uber Agrees to Expanded Settlement with FTC Related to Privacy, Security Claims
Follow Samantha Ann Schwartz on Twitter