In its August 2017 proposed consent agreement with Uber, the FTC alleged, among other things, that the company’s unreasonable security practices resulted in a May 2014 data breach. But there’s more to the story now. According to the FTC, Uber experienced another breach in the fall of 2016 – right in the middle of the FTC’s nonpublic investigation – but didn’t disclose it to the FTC until November 2017. To address that issue, the FTC has withdrawn from its original settlement with Uber and announced a new proposed settlement. It’s the story behind that story that your company will want to know about.
In addition to a count about deceptive assurances Uber made to consumers in response to reports that employees were accessing riders’ personal information, the FTC’s August 2017 complaint included a second count related to security lapses in Uber’s use of a third-party cloud storage service. Despite the company’s expansive security claims, the FTC charged that a series of Uber decisions and omissions – when taken together – resulted in unreasonable security for personal data Uber stored on that service.
Among the lapses the FTC challenged, one proved particularly damaging: Uber’s policy of allowing its staff to use a single access key that provided full admin privileges over the sensitive data Uber stored in clear, unencrypted text on that cloud service. Why was that decision so fateful? Because when an Uber engineer publicly posted an access key on GitHub, a code-sharing site popular with software developers, an intruder used that all-access backstage pass to grab personal data about more than 100,000 people.
That May 2014 breach was cited in the FTC’s original action against Uber. However, Uber experienced another breach in the fall of 2016 also stemming from lax security choices Uber made in its use of the third-party cloud storage service. Once again, intruders used an access key that an Uber engineer had posted on GitHub. This time, the key was posted to a private GitHub repository. However, Uber let its engineers access the company’s GitHub repositories through engineers’ individual accounts, which were generally tied to personal email addresses. Uber didn’t prohibit its engineers from reusing credentials and didn’t require them to enable multi-factor authentication when accessing the company’s GitHub repositories. The intruders said they got access by using passwords that were exposed in other big data breaches. In a one-month period, intruders used that plain-text access key to download 25.6 million names and email addresses, 22.1 million names and mobile phone numbers, and 607,000 names and driver’s license numbers of U.S. Uber riders and drivers.
Uber learned of the breach on November 14, 2016, when an attacker contacted the company, demanding a six-figure payout. Uber paid $100,000 through the third party that administers Uber’s “bug bounty” program. Many companies have bug bounty programs to offer rewards for the responsible disclosure of serious security vulnerabilities. But unlike a legitimate bug bounty, this was an Uber pay-out to the same attackers who maliciously exploited the vulnerability to steal personal information about millions of people.
Uber failed to disclose the breach to affected consumers until November 21, 2017, more than a year after the company learned about it. Furthermore, the fall 2016 breach occurred while Uber was in discussions with the FTC about its investigation of the May 2014 breach, which also related to the company’s practices for securing consumer data stored on the third-party cloud service. Despite the pendency of that probe, Uber didn’t tell the FTC about the second breach until November 2017.
What’s the upshot of this revelation? When the FTC announces an administrative settlement, the proposed consent agreement is put on the record for 30 days for public comment. After considering the comments, the FTC either accepts the order as final or doesn’t. In this instance, the FTC has withdrawn its proposed settlement with Uber and is entering into a new agreement that also will be on the record for 30 days for public comment beginning today through May 14, 2018. The FTC will then decide whether it should withdraw from the new agreement or accept it as final.
What’s different about the new proposed complaint and order? The complaint includes an additional section describing the allegations related to the fall 2016 data breach. The proposed order features a number of additional provisions designed to address what happened in this case and protect consumers in the future. You’ll want to read the order for the specifics, but here are some ways that it’s notably broader.
The order proposed in August 2017 would have required Uber to implement a comprehensive privacy program. The new order requires the program also to address: 1) secure software design, development, and testing, including access key management and secure cloud storage; 2) how Uber reviews and responds to third-party security vulnerability reports, including its bug bounty program; and 3) prevention, detection, and response to attacks, intrusions, or systems failures. Under a new provision, Uber will have to submit a report to the FTC about any episode where the company has to notify any U.S. federal, state, or local government entity about the unauthorized access of any consumer’s information. And the reporting and recordkeeping provisions have been expanded to keep a closer eye on what Uber is up to, including the operation of its bug bounty program and communications with other law enforcers.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.