As reported on Hunton’s Privacy and Information Security Law blog, the FTC has modified its 2017 settlement with Uber after learning of an additional breach that was not taken into consideration during its earlier negotiations with the company. The revised proposed agreement goes beyond the FTC’s original settlement mandating that Uber implement a comprehensive privacy program. The expanded FTC order would require Uber to address software design, development and testing; how the company reviews and responds to third-party security vulnerability reports; and prevention, detection and response to attacks, intrusions or systems failures. Uber also would be required to report to the FTC any episode where it has to notify any U.S. government entity about the unauthorized access of any consumer’s information.
The modifications are based on the fact that Uber failed to notify the FTC of a November 2016 breach, which took place during the time that the FTC was investigating an earlier, 2014 Uber breach. The 2016 breach occurred when intruders used an access key that an Uber engineer had posted on GitHub to download more than 47 million user names, including related email addresses or phone numbers, as well as more than 600,000 drivers’ names and license numbers. The FTC alleges that when Uber learned of the breach, it then paid a $100,000 ransom through its “bug bounty” program, which is intended to reward responsible disclosure of security vulnerabilities.