Uber admitted to covering up a massive cybersecurity attack that took place in October 2016, exposing the confidential data of 57 million customers and drivers, as part of a settlement with the US Department of Justice to avoid criminal prosecution.
In order to not be prosecuted for the cover-up, Uber “admits that its personnel failed to report the November 2016 data breach to the [Federal Trade Commission] despite a pending FTC investigation into data security at the company,” according to a press release from the DOJ.
Hackers used stolen credentials to access a private source code repository and obtain a proprietary access key, which they then used to access and copy large quantities of data associated with Uber’s users and drivers, including data pertaining to approximately 57 million user records with 600,000 driver’s license numbers.
The data breach was only revealed a year later in when the company publicly disclosed it, as reported by Bloomberg. The company allegedly paid its hackers a $100,000 ransom to delete the data and not publicize the breach to media or regulators. At the time, newly appointed Uber CEO Dara Khosrowshahi, who had taken over from former CEO Travis Kalanick after the latter was ousted from his position, admitted that the cover-up should not have happened.
According to the settlement, Khosrowshahi and his team reported the breach to the public, drivers, and government authorities after discovering it a year later. The decision not to prosecute the company was, in part, based on Uber’s decision to disclose the breach as well as an agreement with the FTC in 2018 to report any future cyberattack to government regulators. The settlement also acknowledges that Uber paid $148 million to settle civil litigation tied to the data breach.
It was a sharp turnaround as compared to the company’s leadership under Kalanick, who learned of the breach a month after it occurred. Joe Sullivan, Uber’s chief security officer at the time, was also complicit in the cover-up, leading to his firing by Khosrowshahi in 2017. Sullivan was later charged with obstruction of justice for trying to hide a data breach from the FTC and Uber management. His case is scheduled to go to trial in September 2022.
The hack included names, email addresses, and phone numbers of more than 50 million Uber riders worldwide, while more than 7 million Uber drivers had similar data exposed on top of driver’s license numbers for around 600,000 US drivers.