As part of a deal with the US Department of Justice to avoid criminal prosecution, Uber acknowledged covering up a significant cybersecurity incident that occurred in October 2016 and exposed the private information of 57 million users and drivers.
Uber “admits that its workers neglected to notify the November 2016 data breach to the [Federal Trade Commission] despite an ongoing FTC inquiry into data security at the firm,” according to a DOJ news statement. This allowed Uber to avoid prosecution for the cover-up.
In order to access a private source code repository and obtain a proprietary access key, hackers used stolen credentials. With this key, they were able to access and copy a sizable amount of data related to Uber’s users and drivers, including information on about 57 million user records and 600,000 driver’s license numbers.
Only after a year did the business officially disclose the data leak, as reported by Bloomberg. The business allegedly paid the hackers a $100,000 ransom to destroy the data and keep the data breach a secret from the public and the authorities. When Travis Kalanick was fired from his role as CEO, Dara Khosrowshahi, the newly appointed CEO of Uber, took over. He later acknowledged that the cover-up was improper.
The settlement states that after identifying the breach a year later, Khosrowshahi and his staff informed the general public, drivers, and government officials. Uber’s willingness to disclose the breach and its agreement with the FTC in 2018 to notify law enforcement of any upcoming cyberattacks both played a role in the decision not to pursue the corporation. Additionally, it is acknowledged in the settlement that Uber paid $148 million to resolve civil lawsuits resulting from the data breach.
It was a significant shift from the company’s management under Kalanick, who discovered the hack a month after it happened. Due to his involvement in the cover-up, Joe Sullivan, who was at the time Uber’s top security officer, was fired by Khosrowshahi in 2017. After attempting to conceal a data breach from the FTC and Uber management, Sullivan was eventually charged with obstructing justice. Trial in his case is expected to begin in September 2022.
In addition to driver’s license numbers for almost 600,000 US drivers, the attack revealed the names, email addresses, and phone numbers of more than 7 million Uber drivers and more than 50 million Uber users worldwide.