By Katy St. Clair | Bay City News Foundation
Ride-share juggernaut Uber has entered a nonprosecution agreement with federal prosecutors to resolve a criminal investigation into the coverup of a significant data breach suffered by the company in 2016, federal authorities from the Department of Justice announced Friday.
As part of the agreement, Uber will cooperate with investigators into the company’s former chief security officer.
According to United States Attorney Stephanie M. Hinds and FBI Special Agent in Charge Sean Ragan, Uber admitted to and accepted responsibility for the acts of its officers, directors, employees and agents in concealing its 2106 data breach from the Federal Trade Commission, which at the time had a pending investigation into the company’s data security practices.
Prosecutors say that Uber admitted that its personnel failed to report the November 2016 data breach to the FTC, despite a pending investigation into data security at the company. Hackers responsible for the 2016 breach used stolen credentials to access a private source code repository and obtain a private access key.
The hackers then used that key to access and copy large quantities of data associated with Uber’s users and drivers, including approximately 57 million user records and 600,000 drivers’ license numbers. Uber did not report the breach until approximately one year later, the DOJ said, when new executive leadership had taken over. This new leadership disclosed the breach to affected drivers, the public, law enforcement and to foreign and domestic regulators, including state attorneys general and the FTC.
The resolution of the criminal probe by a nonprosecution agreement was helped by the fact that the new leadership came clean about the breach, the DOJ said, and also that the company then invested “substantial” resources to significantly restructure and enhance the company’s compliance, legal, and security functions.
In 2017, former CEO Travis Kalanick stepped down – a saga portrayed in the Showtime drama “Super Pumped: The Battle for Uber” – and Dara Khosrowshahi took the helm, the former CEO of Expedia Group.
Uber agreed in 2018 to maintain a comprehensive privacy program for 20 years and to report to the FTC any incident reported to other governmental agencies relating to unauthorized intrusion into consumers’ information.
As part of the agreement with the government, Uber will also continue to cooperate with the government’s investigation of former Chief Security Officer Joseph Sullivan, who is facing charges that he allegedly defrauded drivers in an alleged coverup of the 2106 data breach.
Finally, Uber must pay $148 million and implement a corporate integrity program, data security safeguards, and incident response and data breach notification plans, along with biennial assessments, the DOJ said.