Uber Technologies, Inc. (“Uber”) has agreed to an expansion of its initial August 2017 proposed consent agreement with the Federal Trade Commission (“FTC”), in light of revelations of an additional security breach in October 2016, which it knew about but did not disclose until November 2017, after it settled over its initial May 2014 breach. The second security breach occurred right in the middle of the FTC’s nonpublic investigation into Uber’s security practices from the initial breach; nevertheless, Uber failed to disclose the breach. Both breaches resulted from Uber’s lax security practices and Acting FTC Chairman Maureen K. Ohlhausen described them as “strikingly similar.” In light of the additional information, the FTC withdrew from the original proposed settlement it reached after the May 2014 breach, expanded the terms, and threatened to fine Uber for future incidents. In an attempt by new CEO Dara Khosrowshahi to set a new tone for the company, Uber agreed to the revised terms on April 12.

A Tale of Two Breaches

The allegations against Uber were detailed in the FTC’s revised complaint. The August 2017 proposed consent agreement stemmed from allegations of unreasonable security practices which resulted in a May 2014 data breach. These practices included, among others things, allowing Uber staff to use a single, company-wide access key that provided full administrative privileges over sensitive data stored in unencrypted text on a cloud service. After an Uber engineer posted the code on code-sharing site GitHub, it was used to collect personal data about more than 100,000 people. Uber also made deceptive assurances to consumers in response to reports that employees were accessing the personal information of riders.

The second breach, however, had even further reaching consequences. Once again, a key was posted to a private GitHub repository, and since Uber allowed its engineers to access the repositories through personal email accounts and did not require additional security measures such as prohibitions from reusing credentials or multi-factor authentication, a hacker was able to gain access by using data exposed in previous data breaches. The data was stored in plain text, and in a one-month period, hackers were able to steal 25.6 million names and email addresses, 22.1 million names and mobile phone numbers, and 607,000 names and driver’s license numbers of U.S. Uber riders and drivers.

Uber’s security team and former CEO Travis Kalanick learned of this breach on November 14, 2016—in the middle of the FTC’s investigation into the first breach—after an attacker contacted the company, demanding payment of ten times the “bug bounty” program’s cap. Uber paid $100,000 through its third-party bug bounty program, but did not disclose the breach to the FTC until one year later, when an outside law firm hired by Uber’s board to investigate the activities of the former security team discovered the breach. The bug bounty program was intended to reward responsible vulnerability disclosure, not enable extortion by malicious attackers.

Arriving at a Settlement

While the August 2017 proposed settlement would have required Uber to implement a comprehensive privacy program and prohibited Uber from misrepresenting how it monitors internal access to data and protects and secures that data, the revised consent agreement sets out additional measures for Uber to follow. The revised order requires the privacy program to also address 1) secure software design, development, and testing, including access key and secret key management and secure cloud storage; 2) review, assessment, and response to third-party security vulnerability reports, including through its bug bounty program; and (5) prevention, detection, and response to attacks, intrusions, or systems failures. Uber will also be required to disclose to the FTC any episode where it had to notify a government entity about unauthorized access of any consumer information, as well as all reports from required third-party audits of Uber’s privacy program. Uber will also be required to retain certain records related to bug bounty reports identifying vulnerabilities related to unauthorized access of consumer data. Reporting and recordkeeping provisions have been expanded as well.

Uber’s One Free Ride?

After all this, Uber escapes without a fine from the FTC. That is because the agency lacks authority to fine companies for first-time offenses in data privacy matters. The FTC can only impose civil penalties where a company has violated an existing consent order, and since Uber’s failure to disclose the 2016 breach took place before the FTC had finalized its settlement over the 2014 breach, the FTC determined it did not have authority to impose a fine.

The Uber controversy shines a light on the FTC’s limited authority, which keeps it from levying fines even on some occasions where they may appear warranted. At a panel discussion hosted by the American Bar Association on April 11, FTC Commissioner Terrell McSweeny called for Congress to give the agency more privacy powers, including the ability to impose fines, arguing that the agency’s competition powers generally could not deal with these issues. Ongoing investigations in multiple states over the 2016 breach could result in the imposition of penalties.

With the signing of the expanded consent agreement, however, it appears Uber has taken its last free ride.