Uber has admitted that it covered up a massive data breach in 2016 that exposed data pertaining to approximately 57 million users and 600,000 drivers’ license numbers.
The ride-hailing platform has entered a non-prosecution agreement with federal prosecutors to resolve a criminal investigation into the cover-up of a significant data breach suffered by the company in 2016, according to the US Department of Justice.
As part of a non-prosecution agreement to resolve the investigation, Uber admitted concealing its 2016 data breach from the Federal Trade Commission (FTC), which at the time of the 2016 breach had a pending investigation into the company’s data security practices.
According to reports “Uber admits that its personnel failed to report the November 2016 data breach to the FTC despite a pending FTC investigation into data security at the company,” the Justice Department said in a statement.
The hackers responsible for the Uber breach used stolen credentials to access a private source code repository and obtain a private access key.
The hackers then used that key to access and copy large quantities of data associated with Uber’s users and drivers.
The report further pointed out that the breach was not reported to the FTC until approximately a year later, when new executive leadership was managing the company, revealed the Justice Department.
Uber settled civil litigation with the attorneys general for all 50 States and the District of Columbia related to the 2016 data breach, paying $148 million and agreeing to implement a corporate integrity programme.
Recently, a leaked trove of internal Uber documents revealed that the ride-hailing platform allegedly broke laws and secretly lobbied governments to expand globally.