The 2016 data breach that Uber made public in November 2017 impacted over 25 million riders and drivers in the United States, the Federal Trade Commission (FTC) reveals.
The hack, which the ride-sharing company kept silent about for a year, impacted more than 57 million users globally. Hackers managed to access data stored on an Amazon Web Services (AWS) account and steal names, email addresses and mobile phone numbers of customers around the world.
In February this year, Uber chief information security officer said that two individuals living in Canada and Florida were responsible for the massive data breach.
In an attempt to cover up the hack, Uber paid the attackers $100,000 through its third-party “bug bounty” program, which was designed to reward those who responsibly disclose vulnerabilities, rather than those who maliciously exploit them.
The company came under scrutiny after the hack was made public in November 2017, and even became the target of a US criminal investigation. The data breach was revealed only three months after Uber agreed to implement new data protection measures in a settlement with the FTC over a 2014 incident.
Now, the Commission says the ride-sharing company has agreed to expand the proposed settlement and that it will be subject to additional requirements. Under the new settlement, Uber could be subject to civil penalties if it doesn’t notify the FTC of future breaches in due time.
In a revised complaint (PDF) issued this week, the FTC claims hackers used an access key an Uber engineer had posted on a code-sharing website to access consumer data on a third-party cloud provider’s servers in November 2016.
The complaint alleges that attackers downloaded unencrypted files that provided them with access to over 25 million names and email addresses, 22 million names and mobile phone numbers, and 600,000 names and driver’s license numbers of U.S. individuals.
The revised order (PDF) not only compels Uber to disclose certain future incidents involving consumer data, but also requires the company to submit to the Commission “all the reports from the required third-party audits of Uber’s privacy program rather than only the initial such report.”
Uber is also required to retain records related to bug bounty reports on security bugs that could result in unauthorized access to consumer data.
“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” Acting FTC Chairman Maureen K. Ohlhausen said.
“The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future,” Ohlhausen continued.