The Federal Trade Commission has modified its 2017 settlement with Uber Technologies, Inc. (“Uber”) after learning of an additional breach that was not taken into consideration during its earlier negotiations with the company. The modifications are based on the fact that Uber failed to notify the FTC of a November 2016 breach, which took place during the time that the FTC was investigating an earlier, 2014 breach. The 2016 breach occurred when intruders used an access key that an Uber engineer had posted on GitHub to download more than 47 million user names, including related email addresses or phone numbers, as well as more than 600,000 drivers’ names and license numbers. The FTC alleged that after Uber learned of the breach, it paid the intruders a $100,000 ransom through its “bug bounty” program. The bug bounty program is intended to reward responsible disclosure of security vulnerabilities.

The revised proposed agreement goes beyond the FTC’s original settlement, which mandated that Uber implement a comprehensive privacy program. The expanded FTC order would require Uber to address:

  • software design, development and testing;
  • how the company reviews and responds to third-party security vulnerability reports; and
  • prevention, detection and response to attacks, intrusions or systems failures.

Uber also would be required to report to the FTC any incident where the company is required to notify any U.S. government entity about the unauthorized access of any consumer’s information.