Update, July 28th 2022: this article has been edited to reflect the fact the US Attorney’s office filed a notice of dismissal for the three wire fraud charges against Joe Sullivan on July 27th.
Uber has formally admitted to covering up a major data breach which exposed the personal information of 57 million users in November 2016 as part of a non-prosecution agreement with the US Department of Justice (DOJ).
According to federal prosecutors in the US, between 2015 to 2017, the Federal Trade Commission (FTC) investigated Uber regarding its data practices, and during this investigation required disclosure of any unauthorized access to personal data. At the time, Uber did not disclose the November 2016 data breach to the FTC.
According to the settlement, which was signed last week, Uber reported the breach to government authorities, drivers and the general public in 2017.
Following the breach being made public, Uber paid US$148,000 to settle civil litigation in addition to promising to disclose any future attacks to the Federal Trade Committee (FTC). The decision not to prosecute was reportedly due to the agreement made between the two parties and the company’s decision to disclose the breach following the appointment of Dara Khosrowshahi as CEO in 2017.
The breach occurred after hackers used stolen credentials to gain access to an access key from a source code repository, which then allowed them to gain access to both driver and customer personal details. These details included full names, email addresses, telephone numbers and driver’s license numbers.
Former CSO of Uber, Joe Sullivan, allegedly attempted to pay the two hackers $100,000 to sign a non-disclosure agreement which, according to the DOJ, “contained the false representation that the hackers did not take or store any data”. Additionally, the DOJ alledges that Sullivan attempted to pay the hackers via the use of a bug bounty program, a program where ‘white hat’ hackers reveal security vulnerabilities without compromising any confidential data.
Uber reportedly paid the hackers $100,000 in BitCoin in December 2016, despite not knowing their true identities. In January 2017, Uber discovered their identities and the hackers signed a new version of the original non-disclosure agreement which contained their true names. Both hackers were prosecuted and pleaded guilty in October 2019 to charges of computer fraud conspiracy. They are currently awaiting sentencing.
Sullivan was fired in 2017 due to his involvement with the cover up and is due to go on trial in September 2022 after being charged with three counts of wire fraud, one count obstruction of justice and one count of misprision of a felony for his attempt to hide the breach from both Uber management and the FTC. The three counts of wire fraud were later dismissed on July 27th 2022.