April 12, 2018 by

Uber Agrees to 20 Years of Cybersecurity Audits after FTC Raises Concerns

Ride-hailing giant Uber has agreed to expand on its proposed settlement with the US Federal Trade Commission over charges of deceiving its customers about its privacy and data security protocols.

The FTC previously mandated Uber to start a new privacy program in November after learning that hackers had stolen the data of some 57 million users and drivers globally, a breach that Uber had covered up for over a year.

“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” said Acting FTC Chairman Maureen K. Ohlhausen said in a statement, damningly.

The revised complaint, issued today, also sees the FTC allege that Uber had learned that intruders had, once again, accessed customer data stored on its third-party cloud provider’s servers using an access key posted by an Uber engineer on a code-sharing website in November 2016. Intruders then used to download unencrypted files containing over 25 million names and email addresses, 22 million names and mobile phone numbers and 600,00 names and driver’s license numbers of US Uber drivers and riders.

Now, the FTC has decided to revisit that settlement and, under the new terms, Uber will be required to provide bug bounty reports related to all vulnerabilities concerning customer data. Furthermore, Uber will also need to provide the FTC with all reports from third-party audits, not just the first assessments.

Furthermore, Uber will also be subject to civil penalties if it fails to notify the FTC of future incidents involving unauthorized access of consumer information.

Image credit: Pexels.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Uber Paid 20-Year-old Florida Man to Destroy Data as ‘Bug Bounty’ Program

Uber has reportedly paid $100,000 as a pay-off to a hacker who stole the personal data of some 57...

Read more arrow_forward

Uber Paid Hackers $100,000, Hid Data Breach Affecting 57 Million Uber Users

Hackers stole the personal data of 57 million Uber customers and drivers in a major data breach in...

Read more arrow_forward

FTC Slaps $3.5 Million Fine on Lenovo for Superfish Adware

Laptop maker Lenovo has agreed to pay a $3.5 million fine for pre-installing adware on hundreds of...

Read more arrow_forward