As part of a settlement with the US Department of Justice to avoid criminal prosecution, Uber acknowledged covering up a significant cybersecurity incident that occurred in October 2016 that exposed the private information of 57 million users and drivers.
Uber “admits that its workers neglected to report the November 2016 data breach to the [Federal Trade Commission] despite a pending FTC inquiry into data security at the company,” according to a DOJ news statement. This allowed Uber to avoid prosecution for the cover-up.
In order to access a private source code repository and obtain a proprietary access key, hackers used stolen credentials. With this key, they were able to access and copy a sizeable amount of data related to Uber’s users and drivers, including information on about 57 million user records and 600,000 driver’s license numbers.
Only after a year did the company publicly disclose the data leak, as reported by Bloomberg. Uber allegedly paid the hackers a USD 100,000 ransom to destroy the data and keep the data breach a secret from the public and government authorities.
When Travis Kalanick was fired from his role as CEO, Dara Khosrowshahi, the newly appointed CEO of Uber, took over. He later acknowledged that the cover-up was improper.
The settlement states that after identifying the breach a year later, Khosrowshahi and his staff informed the general public, drivers, and government officials.
Uber’s willingness to disclose the breach and its agreement with the FTC in 2018 to notify law enforcement of any upcoming cyber-attacks both played a role in the decision not to pursue the firm.
Additionally, it is acknowledged in the settlement that Uber paid USD 148 million to resolve civil lawsuits resulting from the data breach.
In addition to driver’s license numbers for almost 600,000 US drivers, the hack exposed the names, email addresses, and phone numbers of more than 7 million Uber drivers and more than 50 million Uber users worldwide.