Search This Blog

Uber Admits Covering up Data Breach Involving 57M Users

The company has agreed to provide any material and witnesses to help the DoJ prosecute Sullivan.


Uber has reached an agreement with the US Department of Justice regarding its cover-up of a data breach in November 2016. In exchange for avoiding prosecution, the ride-hailing company has agreed to assist the DOJ in prosecuting its former top security officer Joseph Sullivan. 

The agreement stemmed from a data breach that compromised the personal information of 57 million people, including both passengers and drivers. The attackers gained access to a secret source code repository and obtained an access key, which they then used to steal the data. 

According to reports, the corporation decided to pay off the criminals while also hiding the breach from the Federal Trade Commission (FTC), which was already examining its security policies at the time. Uber notified the FTC and dismissed Sullivan in November 2017, following the resignation of previous CEO Travis Kalanick and the appointment of new CEO Dara Khosrowshahi. It reached an agreement with the Commission in 2018, agreeing to maintain a privacy programme that includes external audits. It also paid $148 million to resolve disputes with all 50 states. 

In August 2020, the Department of Justice charged Sullivan with obstruction of justice and hiding a felony. In December 2021, it announced new accusations of wire fraud for neglecting to notify Uber drivers that their driver's licences had been compromised. Uber had previously been working with the investigation and will continue to do so under the conditions of the most recent settlement. 

The corporation has agreed to disclose any materials and witnesses needed to help the DoJ prosecute Sullivan. In exchange, Uber and its affiliates are exempt from prosecution in connection with the 2016 data breach. 

According to Ilia Kolochenko, founder of ImmuniWeb and member of the Europol Data Protection Experts Network, Uber may still face a private legal lawsuit.“To void such undesirable situations, companies should take privacy and data breaches seriously, considering their duties and obligations under all applicable laws and regulations,” he said. 

“Having a well-thought-out data breach response plan in place that would include, among other things, swift interaction with internal and external legal teams, media and investors, is crucial to minimize reputational and financial damage of unpreventable data breaches. The close collaboration of technical and legal experts is the next big thing in cybersecurity,” further added. 

Sullivan is a former federal prosecutor who currently serves as Cloudflare's chief security officer. He served as an assistant US attorney in the Northern District of California from 2000 to 2002, where he will be tried in September. He stated yesterday that he will be taking time off from work to prepare for the trial.
Share it:

Data Breach

Data Leak

data security


User Data

User Security