Uber Settles 2016 Data Breach Coverup Allegations with Feds for $148M

Uber Technologies Inc. resolved charges by the United States Attorney Office that it concealed a 2016 data breach from the Federal Trade Commission, which then was conducting an investigation into its security practices. According to the non-prosecution agreement made public last Friday, Uber admits fault, will pay $148 million in fines, and will implement a corporate integrity program.

Simultaneously, the U.S. Attorney’s Office for the Northern District of California issued a press release announcing the terms of the agreement and explaining the origin of the charges.

Six years ago, Uber’s servers were infiltrated by hackers who used stolen credentials to access a private source code repository and obtain a private access key. The hackers, who pled guilty to electronic theft charges, accessed and copied data associated with Uber’s users and drivers, including 57 million user records with 600,000 drivers’ license numbers.

The ride-hailing company concealed the incident from the FTC while under an affirmative obligation to disclose the unauthorized access, only notifying the agency about a year after the fact when new executive leadership took over. The agreement also noted that Uber has fully assisted in an ongoing criminal case against its former chief security officer for his role attempting to cover-up the 2016 breach. 

As for changes, the press release said that the company has “invested substantial resources to significantly restructure and enhance the company’s compliance, legal, and security functions.” Additionally, the agreement directed Uber to set up a comprehensive privacy program lasting two decades with specific data security safeguards, and incident response and data breach notification plans, along with biennial assessments.

Uber is represented by Covington & Burling LLP.