Uber’s rough ride with privacy and data security continues with a revised settlement with the Federal Trade Commission (FTC) over a 2016 data breach affecting rider and driver data. The revised settlement tacks on additional requirements to a settlement reached in 2017 pertaining to another breach that Uber experienced in 2014.

According to the revised FTC complaint, the second breach was known to Uber in November 2016 but not revealed to the FTC until a year later. The hackers gained access to unencrypted, cloud-stored data for approximately 57 million people around the world by using a key that an Uber engineer posted online. Uber paid the hackers a $100,000 “bug bounty” – ironically, a program created by Uber to reward individuals who identify security issues for the good of consumers.

In addition to failing to promptly inform the FTC about the data breach, Uber was charged with having inadequate security measures, including failure to: implement reasonable security training; ensure that its engineers were required to use distinct access keys instead of a single all-access key; restrict access based on employees’ job functions; and maintain a written security program. According to the FTC, Uber’s failure to provide reasonable security for personal information stored in its databases, including geolocation information, created serious risks for consumers.

Under the revised settlement, the ride-sharing company is required to maintain a comprehensive privacy program and submit all reports from required third-party audits of Uber’s privacy program to the FTC. Uber must also notify the FTC of any actual or potential unauthorized access to consumer data, maintain records related to bug bounty reports, and refrain from misrepresenting its privacy and data security measures. Failure to abide by the settlement terms could subject Uber to substantial civil penalties.

Acting FTC Chair Maureen Ohlhausen said “Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach. The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.”

The Commission voted 2-0 to accept the revised settlement agreement and withdraw the original administrative complaint and proposed consent agreement.