Uber admits 2016 data breach cover-up in deal with DOJ

As part of the agreement, which carries a term of one year, Uber accepted responsibility for concealing its 2016 data breach from the Federal Trade Commission (FTC), which at the time had a pending investigation into the company’s data security practices following a data breach in 2014.

The agreement with the DOJ does not include an additional fine or compliance monitorship after Uber agreed to a related settlement with the FTC in 2018 and to pay $148 million as part of a civil litigation with the attorneys general for all 50 states and Washington, D.C. that same year. Uber was praised by the DOJ for its cooperation, including in the agency’s ongoing case against the company’s former chief security officer, Joseph Sullivan.

In September 2014, Uber discovered it was breached after a security key allowing access to its Amazon Web Service account was inadvertently published to a public repository on GitHub, according to the agreement. The breach exposed the names and drivers’ license numbers of 50,000 Uber drivers.

In May 2015, the FTC opened its probe, specifically asking when and how the company learned of the breach, the type of personal information accessed, and how the company notified affected parties, according to the agreement.

Sullivan, who joined Uber in April 2015, was designated as a sworn officer during the probe. In November 2016, he gave testimony to the FTC regarding the 2014 data breach. Approximately 10 days later, he was notified of another breach to Uber’s Amazon Web Service account.

This time, stolen credentials allowed hackers to gain access to approximately 600,000 drivers’ license numbers and 57 million user records, per the agreement. Sullivan allegedly told his team to keep the breach a secret and oversaw the payment of $100,000 to the hackers under the guise of Uber’s bug bounty program.

In August 2017, Dara Khosrowshahi took over as chief executive at Uber and soon discovered the scope of the 2016 breach. He fired Sullivan in November 2017 after an internal probe and promptly notified the relevant parties of the breach.

At the time, the FTC was prepared to close its probe into the 2014 breach, but once the details of the second breach were disclosed, the agency continued its case. In October 2018, Uber settled with the FTC.

The agreement with the FTC requires Uber to “maintain a detailed and comprehensive privacy program” assessed biennially by third-party professionals for a period of 20 years. The company must further report to the FTC regarding any unauthorized access to personal information of users or drivers.

In its settlement with the states, Uber also agreed to the implementation of:

• A corporate integrity program;
• Specific and robust data security safeguards;
• A comprehensive information security program;
• A comprehensive incident response and data breach notification plan; and
• Biennial assessments of its information security program by an independent third party for a period of 10 years.

The company invested substantial resources to significantly restructure and enhance its compliance, legal, and security functions, including the hiring of a chief legal officer, chief ethics and compliance officer, and chief trust and security officer, the DOJ noted.

Uber did not return a request for comment.