Uber covered up the 2016 data breach that affected its 57 million customers and drivers. The confession came as part of the settlement between the DOJ (US Department of Justice) and the taxi company, which will see it avoid criminal prosecution.
In a press release from the DOJ, Uber “admits that its personnel failed to report the November 2016 data breach to the FTC despite a pending FTC investigation into data security at the company.”
If you may recall, cybercriminals breached Uber’s system years ago using stolen credentials. The cybercriminals accessed a private repository of source code where they got a private access key. They then used this key to access and copy data associated with Uber users (names, email addresses, and phone numbers) and drivers (license numbers).
The hackers used the stolen data to blackmail Uber. So, the company hid this from the public and paid the hackers $100,000 to delete the data and keep quiet.
The Uber hack came to light after new leadership took over the company in 2017, a year after the incident occurred.
Uber CEO Dara Khosrowshahi, who took over after the ousting of former CEO Travis Kalanick, along with the new leadership team, conducted an internal investigation on the breach. The outcome led to Khosrowshahi firing Joe Sullivan, Uber’s chief security officer at that time, for being complicit in the cover-up. It also led to Uber reporting the incident to their drivers, regulators, law enforcement, attorneys general, and the FTC (Federal Trade Commission).
Sullivan was charged with obstruction of justice for the cover-up from the FTC and Uber management. His case is scheduled to go on trial in September 2022.
The press release noted the FTC will not prosecute Uber because Khosrowshahi and the new management reported the breach. The rideshare company also entered an agreement with the FTC wherein it will maintain a “comprehensive privacy program” for 20 years and will continue reporting future breaches to the FTC.
Lastly, Uber paid $148M for civil litigation settlement.