Uber has admitted to and accepted responsibility for concealing a 2016 data breach which affected 57 million users and 600,000 drivers.

The ride-hailing giant’s admission to the US Federal Trade Commission (FTC) comes as part of a non-prosecution agreement signed with the FTC to resolve an investigation which ran from 2015 to 2017 into Uber’s data security practices.

According to the agreed facts, the hackers responsible for the breach used stolen credentials to access a private source code repository and obtain a private access key. From there, the hackers used the key to access and copy large quantities of data associated with Uber’s users and drivers.

The 2016 breach was not reported to the FTC until around a year later, when new executive leadership was managing the company.

When they learnt of the breach, the new leadership team investigated and disclosed the news to affected drivers, the public, law enforcement, and foreign and domestic regulators, including state attorneys general and the FTC.

The FTC agreement also notes that Uber settled civil litigation with the attorneys general for all 50 States and the District of Columbia related to the 2016 data breach, paying $148 million and agreeing to implement measures including a corporate integrity programme, specific data security safeguards, and incident response and data breach notification plans, along with biennial assessments.

The agreement also notes that Uber has invested substantial resources to significantly restructure and enhance the company’s compliance, legal, and security functions.

Share Story: