But here's the thing, the FTC just wrapped up an investigation into the company over issues with how it managed its security. The agency determined that Uber didn't adequately protect data and misrepresented how secure that data actually was. Part of Uber's settlement with the FTC over that investigation included an agreement to undergo third-party privacy audits every two years for the next two decades and a promise that it would no longer misrepresent how it monitors, protects and secures consumers' personal information. At the time that settlement was announced, Uber said in a statement, "We've significantly strengthened our privacy and data security practices since then and will continue to invest heavily in these programs. [...] This settlement provides an opportunity to work with the FTC to further verify that our programs protect user privacy and personal information."

That settlement was announced in August of this year. "It appears they violated the FTC consent order before the ink was dry on it," former cybercrime prosecutor Ed McAndrew told CNET. "At the very time they were negotiating a consent order with the FTC, they were knowingly not disclosing it."

Along with the FTC, Uber could also be investigated by several states, laws from which it violated when it didn't disclose the breach to its customers. Reuters reports that at least six states' attorneys general offices have said they'll be looking into the issue as will authorities in the UK, Australia and the Philippines. An Uber spokesperson told CNET, "We've been in touch with several state attorney general offices and the FTC to discuss this issue, and we stand ready to cooperate with them going forward."