According to CNN, the FTC has agreed to expand a prior settlement concerning Uber’s data practices and a breach in 2014 to include the 2016 breach, which involved data on at least 57 million customers. Despite there now being two separate incidents on the record, the FTC has somehow opted to just kinda warn Uber not to pull these shenanigans again, CNN reported:
Uber will have to notify the FTC if customer data is exposed in any future incidents or hacks. Uber is not on the hook for any payments or fines under the agreement. However, if the company fails to notify the FTC of another breach, it could face civil penalties.
Under the expanded settlement, all third-party audits of Uber’s privacy program will be sent to the FTC. The agreement will be posted publicly and open to comment for 30 days, after which the FTC can make it official.
In a statement, acting FTC director Maureen Ohlhausen wrote, “After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach.”
This means the most significant consequences for anyone responsible for the matter are likely the two employees who reportedly lost their jobs over the incident, chief of security Joe Sullivan and counsel Craig Clark.
Per USA Today, both the 2014 and 2016 incidents involved engineers who stored customer data on Github, an open source code repository. The 2016 incident exposed customer names and email addresses, as well as the license numbers of some 600,000 US-based drivers.
Uber paid out $100,000 to hackers who accessed the data in exchange for their silence, and former CEO Travis Kalanick reportedly buried the incident so deeply that incoming successor Dara Khosrowshahi only discovered it after taking control. (Nonetheless, Khosrowshahi waited months to disclose the breach to the public.) Uber was negotiating with the FTC over the 2014 incident at the time news of the 2016 breach emerged.
Per Wired, the FTC has limited enforcement power in the case of initial violations. There’s little the agency could do but threaten fines over the 2014 incident—but the decision to let Uber off easy over the 2016 one is especially curious, seeing as it happened immediately after the FTC closed their prior investigation.
“It appears they violated the FTC consent order before the ink was dry on it,” Ballard Spahr legal advisor Ed McAndrew told CNET.
Uber may not get off with no financial penalties per se. The company is facing multiple lawsuits over the breach, including one filed by the city of Los Angeles.