Uber Technologies has admitted that it did cover up an October 2016 massive cyber security attack that exposed the private data of its 57 million customers and drivers.
The latest admittance by Uber is part of a settlement with the US Department of Justice to avoid criminal prosecution.
According to a press release from the DOJ, the mobility service provider in a move not to face prosecution for the cover-up, “admits that its personnel failed to report the November 2016 data breach to the [Federal Trade Commission] despite a pending FTC investigation into data security at the company”.
It would be recalled that in October 2016, Hackers who compromised Uber’s webpage had used stolen credentials to access a private source code repository, then obtained a proprietary access key used in accessing and copying large quantities of data associated with Uber’s users and drivers, including data pertaining to approximately 57 million user records with 600,000 driver’s license numbers.
The cyber attack had the hackers having access to names, email addresses, and phone numbers of more than 50 million Uber riders worldwide, while more than 7 million Uber drivers had similar data exposed on top of driver’s license numbers for around 600,000 US drivers.
The data breach only got to the public forum a year after, when the company publicly disclosed it, as reported by Bloomberg, with the company allegedly paying its hackers a $100,000 ransom to delete the data and not publicize the breach to media or regulators.
The scandal led to the ouster of then Uber CEO, Travis Kalanik, with the newly appointed CEO Dara Khosrowshahi, admitting that the cover-up should not have happened.
The settlement posits that Khosrowshahi and his team had after discovering it a year later after it happened, reported the breach to the public, drivers, and government authorities.
Uber’s decision to publicly disclose the breach and its agreement with the FTC to report subsequent cyber attacks to the government regulators was perhaps the saving grace and the decision not to face prosecution. The settlement also noted that the company paid $148 million to settle civil litigation tied to the data breach.
Aside the ouster of Kalanik, the Chief security officer of Uber, Joe Sullivan was given the marching orders, as he was found to be complicit in the cover-up. He was later charged with obstruction of justice for trying to hide a data breach from the FTC and Uber management, with his case scheduled to come up September this year.