The FTC has now put out a statement regarding the Uber data breach which the company concealed for the best part of a year before finally disclosing it, under new CEO Dara Khosrowshahi, on Tuesday by passing details to Bloomberg.
Late yesterday a spokesperson for the federal agency told Reuters: “We are aware of press reports describing a breach in late 2016 at Uber and Uber officials’ actions after that breach. We are closely evaluating the serious issues raised.”
In October 2016 hackers had stolen personal data from 57 million Uber users and drivers, it revealed, including the names, email addresses and phone numbers of 50M Uber riders around the world, and personal information of about 7M drivers — including around 600,000 US driver’s license numbers.
The FTC’s statement is significant because Uber only settled a prior investigation into security and privacy complaints dating back to 2014 and 2015 and carried out by the agency this summer, when it agreed to 20 years of external audits and to abide by various conditions in the consent order.
The security breach the FTC was looking into then was far smaller than the freshly disclosed 2016 breach — with personal data of around 100,000 Uber drivers’ accessed during the May 2014 breach.
Although the attack vector used in both attacks is essentially the same: In 2014 an intruder gained access to an Amazon S3 Datastore Uber was using (and storing data in plain text) after one of its engineers had publicly posted the key to GitHub.
While in 2016 attackers were also able to access a private GitHub coding site used by Uber software engineers to grab login credentials and use those to access data stored on an Amazon Web Services account — where they unearthed an archive of rider and driver data.
The fact Uber allowed not one but two attacks to happen, spaced years apart, because engineers put access keys in a publicly accessible location suggests security was hardly being considered — let alone prioritized.
The FTC consent order settling the 2014 and 2015 complaints prohibited Uber from misrepresenting how it protects the privacy, confidentiality, security, or integrity of any personal information it handles and stores.
Yet almost immediately Uber signed the order it would likely have been in violation of the agreement — having still not disclosed (to the FTC, or to anyone outside the company) the much larger 2016 breach. And violations of FTC consent orders can result in civil penalties being issued.
“It appears they violated the FTC consent order before the ink was dry on it,” a former federal cybercrimes prosecutor now at the Ballard Spahr firm, Ed McAndrew, told CNET.
We’ve reached out to the FTC to ask whether it believes Uber has breached the prior consent order and also if it intends to open a formal investigation into the 2016 breach, and will update this story with any response.
In addition, while the US does not currently have a federal law requiring companies to inform the public about data breaches, the vast majority of states have enacted breach notification statutes of their own — which are typically a lot stricter than a full year’s time for disclosure.
So Uber is likely to have breached state laws by concealing the breach for so long.
Some of the breached data is also from markets outside the US. And regulators in other markets can be stricter. In the European Union, for example, a new law incoming in May 2018 will bring in a single breach notification standard across all 28 EU Member States that will require data controllers to inform regulators that personal data has been breached within 72 hours of becoming aware of an intrusion.
And while that law has not come in to force, expectations around breach disclosures are being reset to meet the new standard across the EU.
Yesterday, for example, the UK’s data watchdog said the concealed Uber data breach “raises huge concerns”, as well as warning that companies which deliberately conceal breaches from regulators can attract higher fines.