Two computer hackers have pleaded guilty to concocting an extortion scheme that entangled Uber in a yearlong cover-up of a data breach that stole sensitive information about 57 million of the ride-hailing service’s passengers and drivers.
The pleas entered Wednesday in a San Jose, California, federal court by Brandon Charles Glover and Vasile Mereacre resurrected another unseemly episode in Uber’s checkered history.
Glover, 26, and Mereacre, 23, acknowledged stealing personal information from companies that was stored on Amazon Web Services from October 2016 to January 2017 and then demanding to be paid to destroy the data.
Uber met the hackers’ demand with a $100,000 payment, but waited until November 2017 to reveal that the personal information of both its riders and drivers around the world had fallen into the hands of criminals.
U.S. Attorney David Anderson ripped into Uber for not immediately alerting authorities about the loss of so much personal information that could have been used for identity theft and other malicious purposes.
“Companies like Uber are the caretakers, not the owners, of customers’ personal information,” Anderson said in a statement.
Uber declined to comment on the guilty pleas and Anderson’s criticism.
The San Francisco company has previously said it mishandled the data breach. By the time Uber came clean about the incident, it had ousted its co-founder, Travis Kalanick, as CEO. Dara Khosrowshahi was then brought in to replace Kalanick and burnish an image that had been tarnished by revelations of rampant sexual harassment within Uber’s ranks , attempts to dupe government regulators and accusations of stealing self-driving car technology.
As part of their scheme, Glover and Mereacre also tried to blackmail Lynda.com, part of professional networking service LinkedIn, according to authorities. Instead of meeting those demands, LinkedIn tried to identify the extortionists, the government said.
The two men each face up to five years and prison and a $250,000 fine. A status conference about their sentencing has been scheduled for March 18 before U.S. District Judge Lucy Koh.
Related: Uber Hacked: Information of 57 Million Users Accessed in Covered-Up Breach