Connect with us

Hi, what are you looking for?


Incident Response

Uber Settles With Federal Investigators Over 2016 Data Breach Coverup

Uber has entered a non-prosecution agreement to resolve a criminal investigation into the manner in which the company handled a 2016 data breach that impacted 57 million users and drivers.

Uber has entered a non-prosecution agreement to resolve a criminal investigation into the manner in which the company handled a 2016 data breach that impacted 57 million users and drivers.

In November 2017, Uber disclosed that two individuals had accessed a third-party cloud service containing user data, and announced that two employees in charge of leading the response to the breach were no longer with the company.

In early 2018, Uber CISO John Flynn confirmed during a Senate committee hearing that the hackers obtained credentials from a private GitHub site and then used them to access an Amazon Web Services (AWS) S3 bucket used for backup purposes.

Flynn also admitted that, in November 2016, after being contacted by one of the individuals and confirming the data breach, Uber agreed to pay the hackers $100,000 via its HackerOne-based bug bounty program, in an attempt to keep the incident quiet.

In September 2018, Uber settled with all 50 states and the District of Columbia, agreeing to pay $148 million and to tighten data security after failing for a year to notify users and drivers of the data breach.

In 2020, former Uber CSO Joe Sullivan was charged over his role in the data breach cover-up. Sullivan served as Uber CSO between April 2015 and November 2017.

Last week, the US Department of Justice (DoJ) announced that, as part of the non-prosecution agreement, Uber “admitted to and accepted responsibility for the acts of its officers, directors, employees, and agents in concealing its 2016 data breach from the Federal Trade Commission.”

Advertisement. Scroll to continue reading.

At the time of the breach, the FTC was investigating Uber’s data security practices, requiring the company to offer information on any unauthorized access to personal information.

In the non-prosecution agreement, Uber admitted that it failed to report the data breach to the FTC, and that the hackers accessed a private source code repository using stolen credentials, from where they extracted a private access key that allowed them to download 57 million user records, including 600,000 drivers’ license numbers.

The ride sharing giant also admitted that the data breach was reported to the FTC only one year later, when the company was under a new executive leadership.

The agreement notes that the new leadership promptly launched an investigation into the 2016 data breach and disclosed it to the public and to the relevant authorities and regulators. According to the agreement, Uber has since invested significantly in improving its compliance, legal, and security functions, and that the company has shown full cooperation with the authorities investigating the incident and the cover-up.

Furthermore, the agreement also notes that, in October 2018, Uber settled with the FTC “to maintain a comprehensive privacy program for 20 years and to report to the FTC any incident reported to other government agencies relating to unauthorized intrusion into individuals’ consumer information,” and that it also settled civil litigation with the attorneys general.

Related: Settlement Curbs Firm’s Facial Recognition Database in US

Related: Meta Agrees $90 Million Settlement in Facebook Privacy Suit

Related: Accellion Reaches $8.1 Million Settlement Over FTA Data Breach

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.