Uber agrees to expanded FTC settlement after 2016 data breach

Uber has agreed to expand the terms of its settlement with the US Federal Trade Commission after announcing a major breach in 2017.

In a settlement with the FTC in August, the ride-hailing company agreed to 20 years of audits after allegations that it made deceptive claims about its privacy and data security. That original agreement also required Uber to start a new privacy program.

The FTC decided to revisit that settlement after the company announced in November that hackers stole data on 57 million users and drivers. The breach, which happened in October 2016, had been covered up for more than a year. Uber paid the thieves $100,000 to delete the information. 

"After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company's strikingly similar 2014 breach," acting FTC Chairman Maureen Ohlhausen said in a statement Thursday. 

Under the new terms of Uber's settlement with the FTC, the company will now be required to provide records of its bug bounty reports related to vulnerabilities affecting consumer data. It'll also have to provide to the FTC all reports from third-party audits, rather than just the first assessments, according to the new terms. 

"I am pleased that just a few months after announcing this incident, we have reached a speedy resolution with the FTC that holds Uber accountable for the mistakes of the past by imposing new requirements that reasonably fit the facts," Uber's chief legal officer, Tony West, said in a statement. 

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.