The Uber data leakage revealed last year is worse than reported. In 2016, intruders used an access key to download unencrypted files containing 25.6 million names and email addresses — a breach that the company failed to disclose for over a year, according to the Federal Trade Commission.
Also stolen from Uber’s cloud storage on the Amazon S3 Datastore were 22.1 million names and mobile numbers and 600,000 names and driver’s license numbers of Uber’s U.S. drivers and riders.
The FTC reported this on Thursday when announcing an expansion of the settlement it reached last August with Uber Technologies Inc. over the firm’s alleged failure to protect consumer data and disclose breaches.
As part of the expanded settlement, Uber could be hit with civil penalties for failure to disclose future breaches. In addition, it must submit to the FTC all the reports from required third-party audits of its privacy program and retain records of data vulnerabilities.
The intruders used an access key that had been posted by a Uber engineer on GitHub to get their hands on “a wide variety of files that contain sensitive personal information,” according to the complaint.
The intruders downloaded 16 Uber files from the Amazon S3 Datastore between October 13, 2016 and November 15, 2016.
The FTC states that nearly all this information had been collected before July 2015 and was now stored in unencrypted database backup files.
Uber paid the intruders $100,000 through its third-party “bug bounty” program and failed to disclose the November 2016 breach to consumers or the FTC for another year. Therefore, its claims that it would provide security for consumer data were “false or misleading,” the FTC alleges.
“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” states Acting FTC Chairman Maureen K. Ohlhausen.
She adds: “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.”
Last year, the company agreed to settle a charge that it deceived customers by failing to monitor employee access to personal information on consumers, following the 2014 data breach.