The 2016 data leak that affected Uber’s 57 million users and drivers was hushed up. The DOJ (US Department of Justice) and the taxi firm reached a deal in exchange for the confession, allowing the latter to avoid punishment.
Uber “admits that its officials failed to notify the FTC of the November 2016 data breach despite an ongoing FTC inquiry into data security at the firm,” according to a DOJ press statement.
If you recall, hackers used stolen credentials to break into Uber’s system years ago. The hackers obtained a private access key by accessing a private repository of source code. They then accessed and copied information related to Uber users and drivers (names, email addresses, and phone numbers) using this key (license numbers).
The hackers blackmailed Uber using the stolen data. As a result, the business kept this information from the public and paid the hackers $100,000 to delete the data and remain silent.
After new management took over the company in 2017, a year after the incident, the Uber hack became public. An internal investigation into the incident was done by Uber CEO Dara Khosrowshahi and the new leadership team after former CEO Travis Kalanick was fired. As a result, Khosrowshahi fired Joe Sullivan, who was at the time Uber’s chief security officer, for participating in the cover-up. Uber also informed its drivers, authorities, law enforcement, attorneys general, and the FTC about the occurrence as a result (Federal Trade Commission).
Sullivan was accused of obstructing justice due to the FTC and Uber management’s cover-up. Trial in his case is set to begin in September 2022.
According to the press release, Khosrowshahi and the new management notified the breach, therefore the FTC decided not to prosecute Uber. The carpool firm also reached a settlement with the FTC under which it will keep up a “comprehensive privacy programme” for 20 years and keep the FTC informed of any new privacy violations.
Last but not least, Uber settled a civil lawsuit for $148M.