FTC 'Closely Evaluating' Uber's Latest Data Breach
The FTC said Wednesday it's "closely evaluating the serious issues raised" in Uber's announcement of a data breach that occurred in 2016, exposing private sensitive information of 57 million Uber customers around the world. "We are aware of press reports describing a breach in late 2016 at Uber and Uber officials’ actions after that breach," an FTC spokesman said. Uber CEO Dara Khosrowshahi blogged Tuesday that hackers stole names and driver’s license numbers of around 600,000 people in the United States, but it has not found evidence that customers' "trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded." The breach occurred just three months after Uber settled a complaint with the FTC for allegedly failing to protect sensitive customer information in a 2014 breach (see 1708150010).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
"You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it," Khosrowshahi's blog said. Uber said it fired two people involved in its probe of the breach and brought cybersecurity consultant Matt Olsen, former NSA general counsel, to help Khosrowshahi "think through" the problem.
Missouri Attorney General Josh Hawley (R) also announced his office will investigate the Uber data breach and whether the company’s ensuing conduct violated Missouri consumer-protection and data-privacy laws. The AG’s office sent a letter Wednesday to Khosrowshahi demanding that Uber immediately notify all affected consumers, protect those consumers’ personal information, and prevent any future breaches.
“It’s Groundhog Day for Uber -- not good news for the initial investigative team,” said Ballard Spahr cyber attorney Ed McAndrew, a former federal prosecutor who now advises clients on cyber defense. At the same time Uber was agreeing in the FTC case to create new protections to secure customer data, it was sitting on information about another hack, he told us. “This now becomes about potential fraud by failure to disclose.” The FTC order announced Aug. 15 required Uber to create a “comprehensive privacy program” addressing privacy risks for consumer services.
Khosrowshahi said the company acted “immediately” upon learning of the breach to secure the data and shut down further unauthorized access, and “obtained assurances that the downloaded data had been destroyed.” Reportedly the firm paid $100,000 in ransom to the hackers, a claim an Uber spokesman refused to confirm. “Rather than disclose the data breach to the public, as required by law, Uber paid the hackers $100,000 to delete the information,” said the Electronic Privacy Information Center, which filed a complaint against Uber in 2015 over the company’s misuse of customer data and recently told a Senate Banking Committee hearing probing the Equifax breach that it's time for Congress to enact legislation to give consumers control over their information and create more accountability for companies that handle personal data (see 1710170034).
"It looks to me like they have violated California's data breach notification law," said John Simpson, Consumer Watchdog privacy project director. "I think there are reasonable grounds for the FTC to step in and investigate based on unfair and deceptive business practices," he said. It's also time for Congress to hold a hearing on "Uber's ongoing renegade activity," he said. "It's clear there is a need for a meaningful data breach protection law on the federal level -- but not one that would exempt state authority," he said. "California has a very good law."
Congress should approve the Consumer Privacy Protection Act of 2017 introduced Nov. 14 by Sen. Patrick Leahy, D-Vt., said a statement from Consumer Federation of America Consumer Protection Director Susan Grant. "It is time for action to be taken to ensure that companies take data security seriously. This isn’t the first data breach at Uber, but it should be the last," Grant said.