SAN FRANCISCO -- After admitting to covering up a widespread hack that compromised the personal data of 57 million customers in 2016, Uber agreed to an expanded settlement with the Federal Trade Commission on Thursday.
The revised complaint could subject the ride-hailing giant to civil penalties if it does not promptly disclose similar breaches in the future. Uber did not notify the agency of the 2016 breach until the end of 2017, and had paid the hackers $100,000 to keep quiet about the breach. Uber experienced a similar hack in 2014.
"After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the commission was investigating the company's strikingly similar 2014 breach," said acting FTC Chairman Maureen Ohlhausen in a statement. "The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future."
The 2016 hack came to light after newly minted Uber CEO Dara Khosrowshahi took over from Travis Kalanick, who was forced out after a string of public relations disasters. Under Kalanick, Uber paid $100,000 to two hackers who had got into customer and driver data thanks to a key published on a code-sharing website by an Uber engineer. The payment was for the hackers to delete their findings.
Khosrowshahi announced the breach in a November blog post.
Since the disclosure, Khosrowshahi has touted the newfound transparency of Uber, working with regulators over the fatal crash in Arizona involving one of the company's autonomous test vehicles, and releasing a blog post Thursday detailing new safety procedures.
"Helping keep people safe is a huge responsibility, and one we do not take lightly," he wrote. "That's why as CEO, I'm committed to putting safety at the core of everything we do."