DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Uber enters non-prosecution agreement; admits 2016 data breach coverup

Posted on July 22, 2022 by Dissent

SAN FRANCISCO –Uber Technologies, Inc., has entered a non-prosecution agreement with federal prosecutors to resolve a criminal investigation into the coverup of a significant data breach suffered by the company in 2016, announced United States Attorney Stephanie M. Hinds and Federal Bureau of Investigation Special Agent in Charge Sean Ragan.

As part of a non-prosecution agreement to resolve the investigation, Uber admitted to and accepted responsibility for the acts of its officers, directors, employees, and agents in concealing its 2016 data breach from the Federal Trade Commission (“FTC”), which at the time of the 2016 breach had a pending investigation into the company’s data security practices. The FTC’s investigation continued from 2015 into 2017, and its written questions to Uber required Uber to provide information about any unauthorized access to personal information.

In the agreement’s Statement of Facts, Uber admits that its personnel failed to report the November 2016 data breach to the FTC despite a pending FTC investigation into data security at the company. According to the agreed facts, the hackers responsible for the 2016 breach used stolen credentials to access a private source code repository and obtain a private access key. The hackers then used that key to access and copy large quantities of data associated with Uber’s users and drivers, including data pertaining to approximately 57 million user records with 600,000 drivers’ license numbers. The breach was not reported to the FTC until approximately a year later, when new executive leadership was managing the company. Upon learning of the 2016 data breach, the new leadership team investigated the breach and disclosed it to affected drivers, to the public, to law enforcement, and to foreign and domestic regulators, including state attorneys general and the FTC.

The agreement filed today acknowledges several factors that support the resolution of the criminal investigation by a non-prosecution agreement. First, the agreement notes a change of executive management in late 2017 and the new leadership team’s prompt investigation of the 2016 breach and its disclosure to the public, FTC, law enforcement, and foreign and domestic regulators, and state attorneys general. Second, the agreement notes the company has invested substantial resources to significantly restructure and enhance the company’s compliance, legal, and security functions.

Third, the agreement further describes that in October 2018, after disclosing the 2016 data breach, Uber entered an agreement with the FTC under which Uber agreed to maintain a comprehensive privacy program for 20 years and to report to the FTC any incident reported to other government agencies relating to unauthorized intrusion into individuals’ consumer information. Fourth, the agreement cites Uber’s full cooperation with the government investigation of this matter, including in the ongoing criminal case against Uber’s former chief security officer for his alleged attempt to cover up the 2016 breach. However, the charges in that case are merely allegations, and the defendant in that case, as in all criminal cases, is presumed innocent until proven guilty beyond a reasonable doubt.

Finally, the agreement also notes that Uber settled civil litigation with the attorneys general for all 50 States and the District of Columbia related to the 2016 data breach, paying $148 million and agreeing to implement a corporate integrity program, specific data security safeguards, and incident response and data breach notification plans, along with biennial assessments.

Link to non-prosecution agreement here.

The case is being prosecuted by the Corporate and Securities Fraud Section of the U.S. Attorney’s Office. The case is being investigated by the FBI. The U.S. Attorney’s Office acknowledges the assistance of the FTC.

Further Information

A copy of this press release and a link to the non-prosecution agreement will be placed on the U.S. Attorney’s Office’s website at www.usdoj.gov/usao/can.

Electronic court filings and further procedural and docket information are available at https://ecf.cand.uscourts.gov/cgi-bin/login.pl.

Judges’ calendars with schedules for upcoming court hearings can be viewed on the court’s website at www.cand.uscourts.gov.


Source: United States Attorney Stephanie M. Hinds, Northern District of California

Related posts:

  • Uber’s former Chief Security Officer sentenced to three years probation for covering up massive data breach
  • FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers
Category: Business SectorHackOf NoteOtherU.S.

Post navigation

← Prominent B.C. LGBTQ+ advocacy group hit with cyberattack
Kelowna nurse suspended for accessing patient’s medical records →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.