Uber did not reveal that the password to download sensitive data from its cloud was hacked in 2016 — giving access to unencrypted files with 25 million names and email addresses, 22 million phone numbers, and 600,000 names and driver license numbers.
Such are the accusations of the US Federal Trade Commission (FTC), which believes Uber also paid $100,000 to the people who hacked its system using a third-party ‘bug bounty’ program. Uber failed to tell the public and the FTC about the violation until November. A 20-year-old man in Florida is allegedly responsible and received the money. He was paid to destroy the data using a program normally used to identify pitfalls in code.
Uber then reportedly asked the hacker to sign a non-disclosure agreement in order not to encourage new attacks. According to Reuters, Uber even led an investigation to confirm that the data had in fact been deleted. The young man was “living with his mom in a small home trying to help pay the bills,” said Uber’s security team in December.
The company decided not to sue him. This is common practice among companies, which choose not to denounce the biggest hacks as they believe direct negotiations with hackers are easier and reduce damages and customers’ panic. After the violation, Uber sacked its head of security, Joe Sullivan, and his deputy, Craig Clark.
US authorities say bug bounty programs do not give Uber or any other company the power to decide whether a crime has been committed. The FTC maintains that the big bounty program was created to financially reward those who reveal a system’s vulnerability, and not to identify those who take advantage of those vulnerabilities, accessing customers’ personal information.
The FTC did not take any measures because Uber agreed to extend the agreement it reached with the FTC in 2014 to the 2016 hack. In 2014, 57 million people’s data were stolen from the platform. The agreement also includes harsh fines if Uber does not disclose future hacks. Furthermore, the agreement binds the company to store all bug reports and all reports of system vulnerability. The agreement is open for public consultation for 30 days until May 14. Then the FTC will decide whether to proceed. Every breach could entail sanctions up to $41,484, to be multiplied by 20 million or more.
“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” said acting FTC Chair Maureen K. Ohlhausen. “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.”
Subscribe To Our Newsletter
Your weekly briefing of progressive news.