Uber Admits Covering Up 2016 Data Breach, Avoids Prosecution

Hackers Stole Sensitive Data for 57 Million Uber Passengers and Drivers
Uber Admits Covering Up 2016 Data Breach, Avoids Prosecution
Photo: Andrew Caballero-Reynolds/AFP/Getty Images

Ride-sharing service Uber has reached an agreement with the U.S. Department of Justice to resolve a criminal investigation into its massive 2016 data breach.

See Also: Jumpstarting Digital Forensic Investigations

The November 2016 breach involved hackers stealing legitimate credentials, using them to access Uber's private source code repository and stealing information on numerous drivers and riders. In total, the hackers obtained records on approximately 57 million users, as well as 600,000 drivers' license numbers.

On Friday, U.S. Attorney Stephanie M. Hinds and FBI Special Agent in Charge Sean Ragan announced the non-prosecution agreement with Uber, which resolves an investigation led by the FBI and prosecution by the Corporate and Securities Fraud Section of the U.S. attorney's office. That probe was based in part on Uber having failed to report the 2016 data breach to the Federal Trade Commission, despite a pending FTC investigation into Uber's cybersecurity practices following a 2014 data breach.

The DOJ says its decision to resolve the investigation, which was being led by the FBI, is based on multiple factors, including the company's new CEO in late 2017 immediately reporting the 2016 breach to the public as well as to regulators. The company also subsequently invested "substantial resources to significantly restructure and enhance the company's compliance, legal and security functions."

Justice also says that in October 2018, Uber reached an agreement with the Federal Trade Commission stipulating that it will maintain "a comprehensive privacy program for 20 years" as well as report all unauthorized access to individuals' personal information to the FTC and other relevant authorities.

Another factor cited by the DOJ: Uber already reached a $148 million settlement agreement over the 2016 breach with all 50 states and Washington, D.C. As part of that agreement, Uber has committed to improving its cybersecurity practices, regularly auditing its security, implementing a corporate security program and developing data breach and incident response plans.

Prosecution of Former CSO Continues

Finally, Uber agreed to continue to cooperate with the government's continuing prosecution of former CSO Joe Sullivan, who's been accused of attempting to cover up the 2016 breach by disguising an extortion payment to the hackers as a bug bounty.

Sullivan was accused by federal prosecutors in August 2020 of having paid two hackers "$100,000 in hush money" to cover up the breach. The hackers later pleaded guilty to computer fraud conspiracy charges.

In December 2021, a federal grand jury handed down a superseding indictment against Sullivan, charging him with obstruction of justice, deliberately concealing a felony and three counts of wire fraud.

Sullivan strongly denies the allegations. A spokesman for Sullivan previously said that every action he and his breach response team took involved close collaboration "with legal, communications and other relevant teams at Uber, in accordance with the company's written policies." Sullivan is now serving as CSO of Cloudflare.

Uber didn't immediately respond to a request for comment on its agreement with the DOJ.

Exposé Profiles Uber's Past Activities

Earlier this month, the Guardian published The Uber Files, an exposé into Uber's activities from 2013 to 2017, which it said included breaking numerous laws, using a "kill switch" to disconnect the IT systems at Uber's satellite offices in the event of a raid by authorities and details of aggressive lobbying in numerous countries by Uber senior executives.

The report is based in part on data leaked to the Guardian by former Uber senior executive Mark MacGann. Leaked information included internal emails, WhatsApp and iMessage chats, and 124,000 documents, including memos and presentations.

An investigation into the leaks was managed and led by the Guardian and the International Consortium of Investigative Journalists, which shared the information with 180 journalists in 29 countries.

In response to the exposé, Uber issued a broad mea culpa for past mistakes. In particular, those past errors led directly to the hiring of Dara Khosrowshahi as CEO in 2017, "who was tasked with transforming every aspect of how Uber operates," Jill Hazelbaker, senior vice president for marketing and public affairs, says in a blog post.

"He was guided from the start by the recommendations of Eric Holder, a former U.S. attorney general hired by the company to investigate and overhaul our business practices," Hazelbaker says.

Acting on those recommendations, the new CEO "rewrote the company's values, revamped the leadership team, made safety a top company priority, implemented best-in-class corporate governance, hired an independent board chair, and installed the rigorous controls and compliance necessary to operate as a public company," she says. "When we say Uber is a different company today, we mean it literally: 90% of current Uber employees joined after Dara became CEO."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.