Uber Technologies Inc this Friday accepted the responsibility for covering up the 2016 data breach that affected 57 million customers and drivers, as part of a deal with US prosecutors to avoid criminal prosecution.
In reaching a non-prosecution agreement, Uber admitted that its employees failed to report the November 2016 hack to the US Federal Trade Commission, despite the agency into the investigation into the matter of data security of the uber company.
The US Attorney Stephanie Hinds of San Francisco said Uber waited about an entire year to report the breach, after installing new executive leadership ”establish a strong tone from the top”‘ about ethics and compliance.
Hinds says that the decision should not criminally charge Uber reflects new management’s rapid investigation and disclosure, as well as Uber’s 2018 agreement with the FTC to maintain a comprehensive privacy program for 20 years.
The San Francisco-based company is also cooperating with the prosecution of the former chief of security, Joseph Sullivan, for allegedly playing a role in covering up the hack. Uber did not respond to a request for comment. Sullivan was initially charged in September 2020. Prosecutors say that Sullivan arranged to pay the hackers $100,000 in BTC and had them sign false non-disclosure agreements that they haven’t stolen the data during the hack.
Uber had a bounty program designed to reward security researchers for reporting vulnerabilities but did not cover data theft.
In September 2018, Uber paid $148 million to settle claims in all 50 US states and Washington, D.C. that it was too slow to disclose the hack. Uber stock closed at 93 cents at $23.30 in the last trading session.The non-prosecution agreement was revealed after the US market session ended.