Uber has entered a non-prosecution agreement to resolve a criminal investigation into the manner in which the company handled a 2016 data breach that impacted 57 million users and drivers.
In November 2017, Uber disclosed that two individuals had accessed a third-party cloud service containing user data, and announced that two employees in charge of leading the response to the breach were no longer with the company.
In early 2018, Uber CISO John Flynn confirmed during a Senate committee hearing that the hackers obtained credentials from a private GitHub site and then used them to access an Amazon Web Services (AWS) S3 bucket used for backup purposes.
Flynn also admitted that, in November 2016, after being contacted by one of the individuals and confirming the data breach, Uber agreed to pay the hackers $100,000 via its HackerOne-based bug bounty program, in an attempt to keep the incident quiet.
In September 2018, Uber settled with all 50 states and the District of Columbia, agreeing to pay $148 million and to tighten data security after failing for a year to notify users and drivers of the data breach.
In 2020, former Uber CSO Joe Sullivan was charged over his role in the data breach cover-up. Sullivan served as Uber CSO between April 2015 and November 2017.
Last week, the US Department of Justice (DoJ) announced that, as part of the non-prosecution agreement, Uber “admitted to and accepted responsibility for the acts of its officers, directors, employees, and agents in concealing its 2016 data breach from the Federal Trade Commission.”
At the time of the breach, the FTC was investigating Uber’s data security practices, requiring the company to offer information on any unauthorized access to personal information.
In the non-prosecution agreement, Uber admitted that it failed to report the data breach to the FTC, and that the hackers accessed a private source code repository using stolen credentials, from where they extracted a private access key that allowed them to download 57 million user records, including 600,000 drivers’ license numbers.
The ride sharing giant also admitted that the data breach was reported to the FTC only one year later, when the company was under a new executive leadership.
The agreement notes that the new leadership promptly launched an investigation into the 2016 data breach and disclosed it to the public and to the relevant authorities and regulators. According to the agreement, Uber has since invested significantly in improving its compliance, legal, and security functions, and that the company has shown full cooperation with the authorities investigating the incident and the cover-up.
Furthermore, the agreement also notes that, in October 2018, Uber settled with the FTC “to maintain a comprehensive privacy program for 20 years and to report to the FTC any incident reported to other government agencies relating to unauthorized intrusion into individuals’ consumer information,” and that it also settled civil litigation with the attorneys general.
Related: Settlement Curbs Firm’s Facial Recognition Database in US
Related: Meta Agrees $90 Million Settlement in Facebook Privacy Suit
Related: Accellion Reaches $8.1 Million Settlement Over FTA Data Breach