After nearly six years, Uber has officially fessed up to hiding a 2016 data breach which impacted 57 million users worldwide.
To avoid criminal prosecution, the notorious ridesharing company has admitted that its personnel "failed to report the November 2016 data breach", in spite of a concurrent investigation by the Federal Trade Commission (FTC) into Uber's data security at the time.
The United States Department of Justice (DOJ) said Uber has "accepted responsibility for the acts of its officers, directors, employees, and agents in concealing its 2016 data breach," and has agreed to pay $212 million ($US148 million) for civil litigation related to the incident.
This indelible data breach exposed unprecedented amounts of Uber's data, including 600,000 US drivers’ licence numbers and the information of 1.2 million Australian users.
Uber initially issued a $143,000 ($US100,000) ransom payout in an attempt to destroy the leaked information and keep the attackers quiet, however, this decision ultimately backfired into a slew of long-running legal repercussions.
The data breach remained undisclosed for a full year before finally being reported to government authorities by the then newly-appointed CEO, Dara Khosrowshahi.
In a blog post published in late 2017, Khosrowshahi said "None of this should have happened, and I will not make excuses for it".
Method behind the madness
The attack was launched by two hackers, Brandon Glober and Vasile Mereacre, who utilised a collection of stolen credentials to infiltrate Uber's systems.
Court documents reveal the two men used a sophisticated, "custom-built Github account checker tool" which took existing exposures of corporate login credentials from other websites and tested them against GitHub's service.
After using this tool to gain access to Uber's sensitive data, the two men contacted the company's then Chief Security Officer, Joe Sullivian, and demanded the $143,000 ($US100,000) ransom in Bitcoin, which Sullivan agreed to pay.
Sullivan was fired from Uber the following year, and in 2020, was charged with obstruction and failing to report a felony to authorities.
He is currently scheduled for a criminal trial with the Northern District of California in September.
Penalties from around the globe
While the recent non-prosecution agreement with the DOJ entails a long-awaited settlement between Uber and United States parties tied to the breach, the impacts of this 2016 attack are not confined to America alone.
Uber has faced ongoing scrutiny and investigations from around the globe for the breach, many of which have culminated in hefty penalties.
Among these was a fine of $715,000 (£385,000) by the UK Information Commissioner's Office, as well as a ruling of several Australian Privacy Principle violations by the Office of the Australian Information Commissioner (OAIC) in 2021.
Given the financial and reputational damages resulting from this attack and its subsequent cover-up, Uber has heavily increased its commitments to security and compliance over the past six years.
In addition to terminating several senior executives related to the incident, Uber has agreed to maintain a 20-year comprehensive privacy program with the FTC.
According to the DOJ, Uber further agreed to "implement a corporate integrity program, specific data security safeguards, and incident response and data breach notification plans, along with biennial assessments."
Jill Hazelbaker, Senior VP of Marketing and Public Affairs at Uber, asked that the public not judge the company on its patchy history.
"We have not and will not make excuses for past behaviour that is clearly not in line with our present values,” she said.
“Instead, we ask the public to judge us by what we’ve done over the last five years and what we will do in the years to come."