Dive Brief:
- Ride-sharing giant Uber Technologies reached a non-prosecution agreement with federal authorities last week after it failed to disclose a 2016 data breach while under investigation by the Federal Trade Commission regarding its data practices, the U.S. Attorney's Office in the Northern District of California announced Friday.
- The FTC investigated Uber between 2015 and 2017 over its data practices and sent written questions to the company that required disclosure of any unauthorized access to personal information, according to federal prosecutors. However, in November 2016, unauthorized hackers used stolen credentials to access a private source code repository and steal 57 million user records with 600,000 driver’s license numbers.
- Under the non-prosecution agreement, Uber admitted that its personnel failed to disclose the November 2016 breach, despite the pending FTC investigation. The company is accepting responsibility for the actions of its officers, directors, employees and agents.
Dive Insight:
The Uber agreement highlights a breach of trust with customers and federal regulators. But the incident took place in a different era of cybersecurity and data governance, long before the 2020 SolarWinds attack and the 2021 Colonial Pipeline incident helped usher in historic policy changes.
The incident at Uber took place at a time when companies commonly failed to disclose data breaches and other cybersecurity incidents, partly due to the stigma of being perceived as lax with customer information, said Alla Valente, senior analyst at Forrester. She warned similar behavior and new corporate governance standards would not allow a major company to behave in a similar manner.
“Frankly, I mean, I’d have to have faith that if something like that happened today, it wouldn’t get to this point,” Valente said.
A federal grand jury indicted Uber’s former Chief Security Officer Joseph Sullivan in December 2021 on charges he attempted to cover up the 2016 hack by arranging a six-figure payment for two hackers, who agreed to remain silent about the attack. He was also charged with trying to conceal the incident from the customers and drivers whose PII was compromised.
Sullivan was charged with obstruction of justice in 2020 over the same incident.
The FTC had been investigating reports that Uber improperly accessed customer data, based on reports that surfaced in 2014. The agency settled with Uber in 2017, however it later found out from new management at the ride-sharing firm that a 2016 data breach had been covered up and not disclosed to the FTC, in response to written questions.
Uber in 2018 entered into a 20-year compliance program with the FTC and as part of the agreement announced last week, federal authorities noted significant changes to data compliance, legal and security functions at the company.
Federal authorities also cited extensive cooperation between Uber and federal authorities on the case. Uber settled civil litigation with state attorneys general for $148 million and agreed to significant data reforms.
Gartner analysts said the Uber saga is an extreme example, but has rattled corporate security officers about how to respond to compliance demands.
“Couple that with an upward trend in ransomware attacks and the constant debate of to pay or not to pay, CISO’s often find themselves in a very lonely and undesirable position, under immense pressure to restore services,” Nader Henein, VP analyst at Gartner said via email.