Uber agrees to take responsibility for 2016 data breach cover-up

Ride-hailing company reaches a non-prosecution agreement with the US Department of Justice

Uber's senior management established a 'strong tone' on ethics and compliance, which enabled the company to strike a deal with US federal prosecutors. Reuters
Powered by automated translation

Uber Technologies has agreed to take responsibility for the cover-up of the data breach in November 2016 that compromised about 57 million users by entering a non-prosecution deal with the US Department of Justice.

In the agreement’s statement of facts, the San Francisco-based ride-hailing company admitted that its personnel failed to report the data breach to the Federal Trade Commission despite a pending FTC investigation into data security at the company.

The 21-page agreement, announced by US Attorney for the Northern District of California Stephanie Hinds and FBI special agent in charge Sean Ragan, added that the hackers responsible for the 2016 breach used stolen credentials to get into a private source code repository and obtain a private access key.

“As part of a non-prosecution agreement to resolve the investigation, Uber admitted to and accepted responsibility for the acts of its officers, directors, employees and agents in concealing its 2016 data breach from the FTC, which at the time of the 2016 breach had a pending investigation into the company’s data security practices,” a statement from the US Attorney’s office said.

“The FTC’s investigation continued from 2015 into 2017, and its written questions to Uber required Uber to provide information about any unauthorised access to personal information.”

A non-prosecution deal is a contractual arrangement between a US government agency and a company or individual facing a criminal or civil investigation, in which the agency refrains from filing charges to allow the company to demonstrate its good conduct.

In exchange, the agreement, which is similar to deferred prosecution deals, generally require the company or individual to agree to pay a fine, waive the statute of limitations, co-operate with the government, admit the relevant facts and enter into compliance and remediation commitments, potentially including a corporate compliance monitor.

Uber — which is no stranger to controversy from senior management issues to how it treats its drivers and a number of legal cases brought forward against it worldwide — is among a long list of high-profile names that have been ensnared in a data breach, which is one of the most significant cyber threats globally.

Data breach costs in 2021 were estimated to have risen to $4.24 million from $3.86m, according to an annual study from IBM. That was the highest average total cost in the 17-year history of the report.

Furthermore, the average cost was $1.07m higher in breaches where remote work was a factor in causing the breach, compared to those where remote work was not a factor, IBM said.

Uber's agreement with federal prosecutors, however, did acknowledge the company's efforts to control the damage in the scandal's aftermath.

“The agreement filed today acknowledges several factors that support the resolution of the criminal investigation by a non-prosecution agreement,” the statement said.

One was the “presence of new executive leadership, who established a strong tone from the top of the organisation regarding ethics and compliance and who otherwise strengthened the company’s culture of compliance and transparency, including by acting promptly upon learning of the 2016 data breach to investigate and ultimately disclose it to government authorities, drivers and the public,” the agreement added.

Uber in May reported that revenue surged 136 per cent annually to almost $7 billion in the first quarter of the year, underpinned by a recovery in its ride-hailing and delivery businesses in the January-to-March period.

That exceeded analysts’ estimates of $6.1bn, as gross bookings grew 35 per cent to $26.4bn year-on-year.

Updated: July 23, 2022, 1:38 PM