Uber has admitted responsibility for a data breach in 2016 that exposed millions of its users to malicious hackers to avoid prosecution, the US Department of Justice has disclosed.
“Uber Technologies has entered a non-prosecution agreement with federal prosecutors to resolve a criminal investigation into the coverup of a significant data breach suffered by the company,” said the DoJ, citing the FBI and US Attorney’s office that investigated the case.
The concealed breach led to threat actors accessing and copying a trove of data “pertaining to approximately 57 million user records with 600,000 drivers’ license numbers” after using stolen credentials to access a private database.
Uber did not disclose the incident to the Federal Trade Commission (FTC) until a year later, by which time it was under new management.
“Upon learning of the 2016 data breach, the new leadership team investigated and disclosed it to affected drivers, to the public, to law enforcement, and to foreign and domestic regulators, including state attorneys general and the FTC,” said the DoJ.
The non-prosecution agreement filed on July 22 with the US Attorney’s office in northern California states that Uber admits its staff failed to report the breach when it occurred in November 2016, despite a pending investigation by the FTC into the controversial company.
It also confirms that in October 2018, one year after finally admitting it, “Uber agreed to maintain a comprehensive privacy program for 20 years and to report to the FTC any incident reported to other government agencies relating to unauthorized intrusion into individuals’ consumer information.”
The agreement also claims that Uber “has invested substantial resources to significantly restructure and enhance the company’s compliance, legal, and security functions” since the incident.
The US-based ride-hailing service platform has come under fire in recent years, and is banned in cities around the world amid claims it flouted local laws, duped police, and exploited violence against drivers.