Uber has agreed to stricter monitoring by the U.S. Federal Trade Commission following its concealment of a 2016 data breach while it was negotiating with the agency for a settlement tied to a separate, yet similar, breach two years prior.
The FTC said Thursday the ride-sharing company had agreed to a revised settlement that, if violated, means Uber could be subject to civil penalties.
"The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future," says Acting FTC Chairman Maureen K. Ohlhausen.
The revised version of an earlier settlement comes as the technology industry is facing a reckoning over how it protects and uses personal data. The concern has been fueled by mega-breaches at companies, including Equifax, and Facebook's massive data leak.
Earlier this week, Facebook CEO Mark Zuckerberg testified before Congress. His unprecedented appearance followed the uproar over the improper transfer of up to 87 million profiles to the voter-profiling firm Cambridge Analytica (see Probes Begin as Facebook Slammed by Data Leak Blowback).
Uber reached a proposed settlement with the FTC last August, just two months before it reluctantly revealed another astounding data breach.
The August settlement covered a 2014 breach. In that incident, an attacker obtained a file of data containing 100,000 unencrypted names and driver's license numbers for Uber drivers. It also contained 215 unencrypted names, bank account and domestic routing numbers and 84 other names and Social Security numbers.
The breach occurred because Uber had left an access key on the code-sharing website GitHub for an Amazon S3 bucket.
The FTC subsequently accused Uber of failing to reasonably secure personal data as well as monitor access to consumer data by its own employees. As part of the original settlement, Uber agreed to implement a comprehensive privacy program and independent audits.
As those negotiations were underway, Uber already knew it had been breached again but failed to promptly inform the FTC as required.
Breach Déjà Vu
As the FTC notes, the 2016 breach was strikingly similar to the one two years prior.
Uber disclosed last November that hackers accessed around October 2016 a back-up file containing 57 million accounts of its riders and drivers worldwide. The credentials for the back-up file, which was stored on S3, had also been left on GitHub.
Uber knew about the breach for about a year, later disclosing it paid two informants a $100,000 bug bounty. But the two informants had initially tried to extort Uber. After the payment was made, Uber did not disclose the breach to consumers or regulators (see Uber Concealed Breach of 57 Million Accounts for a Year).
The FTC's revised agreement now tightens the conditions under which Uber reports incidents to the agency. Uber will have to submit all reports completed by independent third-party auditors and not just the initial one, the FTC says.
As far as bug bounties, Uber "must retain certain records related to bug bounty reports regarding vulnerabilities that related to potential or actual unauthorized access to consumer data."
Uber is still facing probes by state attorneys general in Pennsylvania, Illinois, Connecticut, New York and Massachusetts.
In Pennsylvania, some 13,500 drivers were affected. The state could seek up to $1,000 for each violation, for a total of $13.5 million in civil penalties against Uber (see Pennsylvania Sues Uber Over Late Breach Notification).
In the U.S., there is no federal data breach notification law, but all 50 states now have notification laws on the books. The Facebook leak, however, appears to have nudged some lawmakers toward considering whether data-gathering companies should be under tighter rules (see Senators Raise Issue of Regulating Facebook).
Europe has already made that decision. Failing to protect data there will soon have stern consequences.
On May 25, enforcement of the General Data Protection Regulation begins. It's perhaps the strongest legislation on personal data and privacy, with organizations required to notify of data breaches within 72 hours of discovery. Fines for violations can range up to a maximum of 4 percent of a company's annual global revenue or $28 million, whichever is greater.