Uber Technologies Inc (UBER.N) admitted Friday that it covered up a 2016 data breach that affected 57 million passengers and drivers as part of a plea bargain with US prosecutors to avoid criminal charges.
Uber admitted in a non-prosecution agreement
Cab admitted in a non-prosecution agreement that its employees failed to report the November 2016 hacking to the US Federal Trade Commission, despite the fact that the agency was investigating the ride-sharing company’s data security.
cab waited about a year to report the breach, according to US Attorney Stephanie Hinds in San Francisco, after installing new executive leadership who “established a strong tone from the top” regarding ethics and compliance.
Hinds stated that the decision not to charge the cab criminally was influenced by the new management’s prompt investigation and disclosures and cab’s 2018 agreement with the FTC to maintain a comprehensive privacy program for the next 20 years.
The San Francisco-based company is also assisting in the prosecution of a former security chief, Joseph Sullivan, for his alleged role in the hacking cover-up.
Requests for comment were not immediately returned by Uber.
Sullivan was first charged in September 2020. According to prosecutors, Sullivan arranged for the hackers to be paid $100,000 in bitcoin and to sign nondisclosure agreements that falsely stated they had not stolen data.
Uber had a bounty programme intended to reward security researchers who report flaws, not to conceal data thefts.
Uber paid $148 million in September 2018 to settle claims by all 50 US states and Washington, DC that it was too slow to disclose the hacking.
On Friday, Uber shares fell 93 cents to $23.30. The non-prosecution agreement was revealed after the close of US markets.