Uber has admitted it covered up a major data breach in 2016 that led to user data being leaked online.
The US Department of Justice (DoJ) said in a press release the taxi company, “admits that its personnel failed to report the November 2016 data breach to the Federal Trade Commission despite a pending FTC investigation into data security at the company.”
Uber’s confession came as part of a settlement which will see it avoid criminal prosecution from the DoJ.
Hush money
The hack, which happened in October 2016, started with stolen credentials to a private source code repository, and ended with the theft of sensitive data on 57 million people, including both Uber customers, and drivers.
The data that was stolen included full names, email addresses, and phone numbers, as well as driver license numbers, which cybercriminals can utilize to engage in identity theft, for example.
Even though the hack happened in 2016, it was only disclosed a year later. Allegedly, both the company CEO at the time, Travis Kalanick, and the Chief Security Officer (CSO), Joe Sullivan, knew of the breach and tried to cover it up, paying the hackers $100,000 to delete the data and never speak of it again.
Kalanick was later ousted from his position, and succeeded by Dara Khosrowshahi who, upon learning of what had happened, fired Sullivan, and reported the whole thing to the authorities.
Sullivan was also later charged with obstruction of justice, for trying to hide the breach from both the FTC and Uber management, with his trial set to begin in roughly a month.
Another reason why the DoJ decided not to press criminal charges against Uber was because of an agreement the company made with the FTC in 2018, to report any future cyberattacks to the government. Uber had also paid $148 million to settle civil litigation that was tied to the data breach.
Via: The Verge (opens in new tab)
