Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Uber Settles With Federal Investigators Over 2016 Data Breach Coverup

Uber has entered a non-prosecution agreement to resolve a criminal investigation into the manner in which the company handled a 2016 data breach that impacted 57 million users and drivers.

Uber has entered a non-prosecution agreement to resolve a criminal investigation into the manner in which the company handled a 2016 data breach that impacted 57 million users and drivers.

In November 2017, Uber disclosed that two individuals had accessed a third-party cloud service containing user data, and announced that two employees in charge of leading the response to the breach were no longer with the company.

In early 2018, Uber CISO John Flynn confirmed during a Senate committee hearing that the hackers obtained credentials from a private GitHub site and then used them to access an Amazon Web Services (AWS) S3 bucket used for backup purposes.

Flynn also admitted that, in November 2016, after being contacted by one of the individuals and confirming the data breach, Uber agreed to pay the hackers $100,000 via its HackerOne-based bug bounty program, in an attempt to keep the incident quiet.

In September 2018, Uber settled with all 50 states and the District of Columbia, agreeing to pay $148 million and to tighten data security after failing for a year to notify users and drivers of the data breach.

In 2020, former Uber CSO Joe Sullivan was charged over his role in the data breach cover-up. Sullivan served as Uber CSO between April 2015 and November 2017.

Last week, the US Department of Justice (DoJ) announced that, as part of the non-prosecution agreement, Uber “admitted to and accepted responsibility for the acts of its officers, directors, employees, and agents in concealing its 2016 data breach from the Federal Trade Commission.”

At the time of the breach, the FTC was investigating Uber’s data security practices, requiring the company to offer information on any unauthorized access to personal information.

Advertisement. Scroll to continue reading.

In the non-prosecution agreement, Uber admitted that it failed to report the data breach to the FTC, and that the hackers accessed a private source code repository using stolen credentials, from where they extracted a private access key that allowed them to download 57 million user records, including 600,000 drivers’ license numbers.

The ride sharing giant also admitted that the data breach was reported to the FTC only one year later, when the company was under a new executive leadership.

The agreement notes that the new leadership promptly launched an investigation into the 2016 data breach and disclosed it to the public and to the relevant authorities and regulators. According to the agreement, Uber has since invested significantly in improving its compliance, legal, and security functions, and that the company has shown full cooperation with the authorities investigating the incident and the cover-up.

Furthermore, the agreement also notes that, in October 2018, Uber settled with the FTC “to maintain a comprehensive privacy program for 20 years and to report to the FTC any incident reported to other government agencies relating to unauthorized intrusion into individuals’ consumer information,” and that it also settled civil litigation with the attorneys general.

Related: Settlement Curbs Firm’s Facial Recognition Database in US

Related: Meta Agrees $90 Million Settlement in Facebook Privacy Suit

Related: Accellion Reaches $8.1 Million Settlement Over FTA Data Breach

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

Former Wiz executive Trish Cagliostro has joined Orchid Security as Chief Revenue Officer.

Transcend has named former UnitedHealth Group CISO Aimee Cardwell as CISO in Residence.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.