Uber Agrees to 20 Years of Cybersecurity Audits after FTC Raises Concerns

Ride-hailing giant Uber has agreed to expand on its proposed settlement with the US Federal Trade Commission over charges of deceiving its customers about its privacy and data security protocols.

The FTC previously mandated Uber to start a new privacy program in November after learning that hackers had stolen the data of some 57 million users and drivers globally, a breach that Uber had covered up for over a year.

“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” said Acting FTC Chairman Maureen K. Ohlhausen said in a statement, damningly.

The revised complaint, issued today, also sees the FTC allege that Uber had learned that intruders had, once again, accessed customer data stored on its third-party cloud provider’s servers using an access key posted by an Uber engineer on a code-sharing website in November 2016. Intruders then used to download unencrypted files containing over 25 million names and email addresses, 22 million names and mobile phone numbers and 600,00 names and driver’s license numbers of US Uber drivers and riders.

Now, the FTC has decided to revisit that settlement and, under the new terms, Uber will be required to provide bug bounty reports related to all vulnerabilities concerning customer data. Furthermore, Uber will also need to provide the FTC with all reports from third-party audits, not just the first assessments.

Furthermore, Uber will also be subject to civil penalties if it fails to notify the FTC of future incidents involving unauthorized access of consumer information.

Image credit: Pexels.