The breach occurred in October 2016 when a group of hackers used stolen credentials to obtain an internal access key, which they then used to gain hold of approximately 57 million user records. These records included users’ names, email addresses, and phone numbers, as well as about 600,000 driver’s license numbers. Though the hackers didn’t obtain any Social Security numbers, credit card details, or trip details, how Uber responded to the breach is what brings them to their situation today.
Uber reportedly paid the hackers a $100,000 ransom not only to delete the data they’ve obtained, but also to keep the breach hidden from regulators and the media. Dara Khosrowshahi had just replaced the infamous Travis Kalanick as CEO and was navigating the company through a series of federal investigations, most of which focused on separate alleged privacy violations. Under the terms of the investigations, Uber was required to inform regulators of any “unauthorized access to personal information.” It didn’t comply.
Uber successfully hid the breach from regulators for over a year before Khosrowshahi publicly acknowledged the breach. In November 2017, the freshly-appointed CEO wrote a statement detailing the company’s “failure to notify affected individuals or regulators” and promising to notify affected users. The statement coincided with a “damning” Bloomberg report about the breach and its subsequent cover-up.
The news of the cover-up sparked a new investigation involving the Federal Trade Commission (FTC), the Federal Bureau of Investigations (FBI), state attorneys general, and foreign and domestic regulators. Up until last week, it remained possible that Uber could be held criminally liable for concealing the breach and violating its agreement to disclose security issues to regulators already investigating the company. But the company has avoided criminal charges via a non-prosecution agreement, which it entered into last Friday.
The agreement acknowledges that since Khosrowshahi’s appointment, Uber has “invested substantial resources to significantly restructure and enhance the company’s compliance, legal, and security functions.” It also publicizes a 20-year agreement between Uber and the FTC, in which the rideshare company promised to uphold a comprehensive privacy program and disclose any future consumer data breaches to the agency. According to the agreement, Uber settled any civil liability concerns through a $148 million settlement with the attorneys general for all 50 States, as well as an agreement to implement various internal security and review measures.
Violating any of these terms across the next two decades will put Uber back at square one, where it might face criminal prosecution all over again. But the company has surely learned its lesson…right?