SAN FRANCISCO (CBS SF) — Federal investigators criticized ride-sharing giant Uber Thursday for failing to disclose that it had a large data breach in 2016 while it was already under investigation by the Federal Trade Commission.
In a FTC press release, the agency said the breach — which was not revealed until Nov. 2017 — occurred in the fall of 2016 and was the result of “lax security choices Uber made in its use of the third-party cloud storage service.”
Federal investigators said in both the 2014 and 2016 breaches “intruders used an access key that an Uber engineer had posted on GitHub.”
“In a one-month period, intruders used that plain-text access key to download 25.6 million names and email addresses, 22.1 million names and mobile phone numbers, and 607,000 names and driver’s license numbers of U.S. Uber riders and drivers,” the agency said in a press release.
The FTC said Uber learned of the breach on November 14, 2016, when an attacker contacted the company, demanding a six-figure payout. Uber paid $100,000 through the third party that administers Uber’s “bug bounty” program.
Uber had reached an agreement covering the 2104 breach with the FTC in August 2017.
“Uber failed to disclose the breach to affected consumers until November 21, 2017, more than a year after the company learned about it,” the FTC said in their release. “Furthermore, the fall 2016 breach occurred while Uber was in discussions with the FTC about its investigation of the May 2014 breach, which also related to the company’s practices for securing consumer data stored on the third-party cloud service. Despite the pendency of that probe, Uber didn’t tell the FTC about the second breach until November 2017.”
“After misleading consumers about its privacy and security practices, Uber compounded its misconduct,” Acting FTC Chairman Maureen Ohlhausen told Bloomberg News.
She announced an revision of last year’s settlement with the company and said the new agreement was “designed to ensure that Uber does not engage in similar misconduct in the future.”
Under a revised settlement, Uber could be subject to civil penalties if it fails to notify the FTC of future incidents, and it must submit audits of its data security.