Uber agrees to revised settlement with FTC following revelation of 2016 data breach

Uber has agreed to expand a settlement it reached with the Federal Trade Commission (FTC) last year in light of a massive data breach that the company revealed months after the agreement with regulators to settle previous privacy violations.

Like the previous settlement, which was reached in August, the revised agreement does not include a monetary fine for the breach that compromised information for 57 million people.

{mosads}“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” Maureen Ohlhausen, the acting FTC chairwoman, said in a statement. “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.”

Under the terms of the new agreement, Uber has to disclose any future data breaches to the FTC or risk fines.

Uber did not reveal the 2016 breach until November of last year, after Dara Khosrowshahi took over as CEO, replacing the embattled founder Travis Kalanick.

“I am pleased that just a few months after announcing this incident, we have reached a speedy resolution with the FTC that holds Uber accountable for the mistakes of the past by imposing new requirements that reasonably fit the facts,” Uber chief legal officer Tony West said in a statement.

The settlement will also require the ride-hailing company to submit to regular independent privacy audits for the next 20 years.

Hackers stole information, including names and email addresses, in the 2016 hack. Uber paid $100,000 to the hackers to delete the data and cover up the incident. 

The company made the payment through a “bug bounty” program, which firms use to reward cybersecurity researchers for discovering vulnerabilities in their digital infrastructure.

During a congressional hearing in February, Uber acknowledged that the bug bounty program was not an “appropriate vehicle for dealing with intruders who seek to extort funds from the company.”