Uber has admitted to hiding a major 2016 data breach that exposed its drivers and riders in a new settlement the ride-sharing company made to avoid prosecution, according to the Justice Department.
The data breach exposed 57 million people’s records and 600,000 drivers’ licenses, per the non-prosecution agreement made Friday. Users’ information included names, email addresses and mobile phone numbers.
“Uber admitted to and accepted responsibility for the acts of its officers, directors, employees, and agents in concealing its 2016 data breach from the Federal Trade Commission (‘FTC’), which at the time of the 2016 breach had a pending investigation into the company’s data security practices,” the Justice Department said in a statement. “The FTC’s investigation continued from 2015 into 2017, and its written questions to Uber required Uber to provide information about any unauthorized access to personal information.”
The settlement also noted that Uber agreed in 2018 to pay $148 million in a nationwide settlement of civil litigation with the attorneys general of all 50 states and the District of Columbia.
In avoiding federal criminal prosecution, Uber formally agreed to cooperate in a case against its former chief security officer, Joseph Sullivan. The Justice Department charged Mr. Sullivan with obstruction of justice, misprision of a felony and wire fraud relating to the 2016 breach.
The Justice Department said hackers breached Uber’s systems in 2016 and demanded a six-figure payment in return for their silence.
The hackers collected payment under Uber’s bug bounty program, as a reward for disclosures of technical flaws, and Mr. Sullivan arranged for the hackers to sign non-disclosure agreements, according to the Justice Department.
When a new management team arrived in 2017 and learned of the breach and arrangement, Mr. Sullivan was fired and the breach was disclosed publicly.
Uber did not immediately respond to a request for comment.