A data breach in 2016 exposed the names, phone numbers and email addresses of more than 20 million people who use Uber Technologies Inc.’s service in the U.S., authorities said on Thursday, as they chastised the ride-hailing company for not revealing the lapse earlier.
The Federal Trade Commission said Uber failed to disclose the leak last year as the agency investigated and sanctioned the company for a similar data breach that happened in 2014. Bloomberg News reported the breach in November.
“After misleading consumers about its privacy and security practices, Uber compounded its misconduct,” said Maureen Ohlhausen, the acting FTC chairman. She announced an expansion of last year’s settlement with the company and said the new agreement was “designed to ensure that Uber does not engage in similar misconduct in the future.”
In the 2016 breach, intruders in a data-storage service run by Amazon.com Inc. obtained unencrypted consumer personal information relating to U.S. riders and drivers, including 25.6 million names and email addresses, 22.1 million names and mobile phone numbers, and 607,000 names and driver’s license numbers, the FTC said in a complaint.
Under the revised settlement, Uber could be subject to civil penalties if it fails to notify the FTC of future incidents, and it must submit audits of its data security, the agency said.
Uber went through a tumultuous period last year in which co-founder Travis Kalanick was ousted in June following accusations that the company created a hostile environment for female employees under his leadership. Dara Khosrowshahi was named chief executive officer in August and promised a transparent management style.
As part of Khosrowshahi’s turnaround effort, Uber said Thursday it would begin running background checks on drivers annually, in addition to its current practice of conducting such checks when they sign up to work for Uber. The ride-hailing company also said it will begin monitoring for drivers who commit new offenses.
Bloomberg first reported the data breach in November when Uber disclosed the incident. The FTC scolded Uber for waiting more than a year after discovering it. The company had also said it paid the attackers $100,000 to delete the data and keep the breach quiet, an unusual move that concealed the episode for more than a year.
“I am pleased that just a few months after announcing this incident, we have reached a speedy resolution with the FTC that holds Uber accountable for the mistakes of the past by imposing new requirements that reasonably fit the facts,” Uber Chief Legal Officer Tony West said in an emailed statement.