(Bloomberg) --A data breach exposed the names, phone numbers and email addresses of more than 20 million users of the Uber Technologies Inc. online ride-hailing service, federal authorities said, as they chastised the ride-sharing company for not revealing the lapse earlier.
The Federal Trade Commission said Uber failed to disclose the leak, which occurred in 2016, even as the agency investigated and sanctioned the company in 2017 for a similar data breach that happened in 2014.
“After misleading consumers about its privacy and security practices, Uber compounded its misconduct,” said Acting FTC Chairman Maureen Ohlhausen. She announced an expansion of last year’s settlement with the company and said the new agreement was “designed to ensure that Uber does not engage in similar misconduct in the future.”
In the latest breach, intruders to a data-storage service run by Amazon.com Inc. obtained unencrypted consumer personal information relating to U.S. riders and drivers, including 25.6 million names and email addresses, 22.1 million names and mobile phone numbers, and 607,000 names and driver’s license numbers, the FTC said in a complaint.
Under the revised settlement, Uber could be subject to civil penalties if it fails to notify the FTC of future incidents, and it must submit audits of its data security, the agency said.
Uber went through a tumultuous period in which co-founder Travis Kalanick was ousted in June following accusations that the company created a hostile environment for female employees under his leadership. Dara Khosrowshahi became chief executive in August, and promised a transparent management style.
Uber disclosed the breach in November, more than a year after discovering it, the FTC said.
“I am pleased that just a few months after announcing this incident, we have reached a speedy resolution with the FTC that holds Uber accountable for the mistakes of the past by imposing new requirements that reasonably fit the facts,” Uber’s Chief Legal Officer Tony West said in an emailed statement.