Uber admits to covering up 2016 data breach in agreement with feds
SAN FRANCISCO – Federal prosecutors announced Friday that Uber has admitted to and taken responsibility for a coverup associated with a significant data breach the ride-hailing giant experienced in 2016.
According to Northern California U.S. Attorney Stephanie Hinds' office, the San Francisco-based company entered a non-prosecution agreement with federal prosecutors to resolve a criminal investigation into the coverup. In the agreement, Uber admitted to concealing its data breach from the Federal Trade Commission, which was investigating the company's data security practices at the time.
Prosecutors said when the FTC asked Uber to provide information, company personnel didn't report the breach, which took place in November 2016. During the breach, hackers used stolen credentials to access a private source code repository and obtain a private access key.
Hackers were then able to access what was described as "large quantities of data" associated with Uber customers and drivers. The data included 57 million user records and 600,000 drivers' license numbers.
Prosecutors said the breach was not reported to the FTC until a year later, after a change in executive leadership.
In 2017, Uber CEO and founder Travis Kalanick resigned and was replaced by Dara Khosrowshahi. The departure came as the company faced multiple controversies including issues of sexual harassment, allegations of trade secrets theft and being investigated for allegedly misleading local government regulators.
Prosecutors cited several reasons behind the non-prosecution agreement, including the change in leadership, an agreement with the FTC to maintain a comprehensive privacy program, along with fully cooperating with the government in the case. The agreement also noted that Uber reached a $148 million settlement with attorneys general in all 50 states and the District of Columbia over the matter.
Former Uber Chief Security officer Joseph Sullivan is still facing trial for his alleged role in covering up the data breach.