304 North Cardinal St.
Dorchester Center, MA 02124
Prosecutors said the former security chief arranged to pay the hackers $100,000 in bitcoins to cover up the incident
Uber Technologies Inc on Friday accepted responsibility for covering up a 2016 data breach that affected 57 million passengers and drivers as part of a deal with US prosecutors to avoid prosecution.
In striking a non-prosecution agreement, Uber admitted that its employees did not report the November 2016 hacking to the US Federal Trade Commission, even though the agency was investigating the ride-sharing company’s data security.
U.S. Attorney Stephanie Hinds of San Francisco said Uber waited about a year to report the breach after it installed new executives who “set a strong tone from the top” on ethics and compliance.
Hinds said the decision not to criminally charge Uber reflected the swift investigation and revelations of new management and Uber’s 2018 agreement with the FTC to maintain a comprehensive privacy program for 20 years.
The San Francisco-based company is also cooperating with the prosecution of former security chief Joseph Sullivan over his alleged role in covering up the hacking attack.
Uber did not immediately respond to requests for comment.
Sullivan was originally indicted in September 2020. Prosecutors said Sullivan arranged to pay the hackers $100,000 in bitcoins and have them sign non-disclosure agreements that falsely stated they had not stolen the data.
Uber had a bounty program designed to reward security researchers who report bugs, but not to cover up data theft.
In September 2018, Uber paid $148 million to settle claims by all 50 US states and Washington, DC that it was too slow to detect hacking.
Uber shares closed down 93 cents at $23.30 on Friday. The non-prosecution agreement was made public after US markets closed.