Uber has agreed to an expanded settlement with the Federal Trade Commission (FTC) over its massive 2016 data breach, and now faces civil penalties if it fails to notify the regulator of future incidents.
The under-fire ride-sharing company struck its original deal with the FTC before revelations emerged that the firm had suffered a damaging breach of 57 million global riders and drivers, then tried to hush it up by paying the hackers $100,000.
The new settlement confirms details of that incident, well understood by now, in which hackers accessed an Amazon Web Services account “access key” stored on code sharing site GitHub, allowing them to download unencrypted files containing the sensitive personal data.
By failing to use multi-factor authentication for its GitHub account Uber had exposed the credential to malicious third-parties able to brute force or guess the account password.
The new settlement compels Uber to disclose “future incidents” involving consumer data and submit all reports from third-party audits of its privacy program, rather than the originally requested initial report. It also has to retain certain bug bounty report records of vulnerabilities that relate to “potential or actual unauthorized access to consumer data.”
“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the commission that it suffered another data breach in 2016 while the commission was investigating the company’s strikingly similar 2014 breach,” said acting FTC chairman Maureen Ohlhausen. “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.”
The original settlement, now consigned to the bin, charged that Uber failed to live up to claims that it closely monitored employee access to rider and driver data and that it had deployed “reasonable measures” to secure personal data stored on a cloud provider’s servers.
If Uber fails to disclose a future breach, and it involves data on European citizens, it will also face the possibility of severe GDPR fines, up to €20m ($24.7m) or 4% of global annual turnover.