Uber Technologies Inc. has agreed to broaden its proposed settlement with the Federal Trade Commission (FTC) over its deceptive privacy and data security practices after the commission discovered that the car-sharing company had failed to disclose a major 2016 breach.
The agency had already announced the settlement last August over a previous incident in 2014 when it discovered that Uber had been less than forthcoming about a second breach.
“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” Acting FTC Chairman Maureen K. Ohlhausen said in a release. “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.”
Uber compensated a 20-year-old Florida hacker $100,000 to destroy data taken in the hack, which exposed the personal data of 57 million drivers and passengers. The payment was made through the company’s bug bounty program.
In addition to compelling Uber to disclose certain future incidents involving consumer data, the new provisions in the proposed settlement will require Uber to disclose any future such events, provide the commission with all reports from third-party audits of the company’s privacy program and compel it to retain specified records pertaining to bug bounty reports that detail vulnerabilities related to unauthorized access, actual or potential, of consumer data.