Uber—Uber concealed 2016 data breach affecting 57 million users and paid hackers $100K ransom disguised as bug bounty
In late 2016, hackers accessed Uber systems using stolen GitHub credentials and stole personal data of 57 million riders and drivers worldwide, including names, email addresses, phone numbers, and 600,000 US driver license numbers. Rather than disclosing the breach to the FTC (which was already investigating Uber for a 2014 breach), CSO Joe Sullivan paid the hackers $100,000 in bitcoin disguised as a bug bounty and required them to sign NDAs. The breach was concealed for over a year and only disclosed in November 2017 under new CEO Dara Khosrowshahi. Uber paid $148 million to settle with all 50 US states in September 2018.
Scoring Impact
| Topic | Direction | Relevance | Contribution |
|---|---|---|---|
| Corporate Governance | -against | secondary | -0.50 |
| Corporate Transparency | -against | primary | -1.00 |
| Data Security | -against | primary | -1.00 |
| User Privacy | -against | secondary | -0.50 |
| Overall incident score = | -1.020 | ||
Score = avg(topic contributions) × significance (critical ×2) × confidence (0.68)
Evidence (2 signals)
DOJ announced former Uber CSO Joseph Sullivan convicted for covering up 2016 data breach
The US Department of Justice announced that a federal jury convicted Joseph Sullivan, Uber's former Chief Security Officer, of obstruction of FTC proceedings and misprision of felony for concealing the 2016 data breach. Sullivan had orchestrated the $100,000 ransom payment to hackers disguised as a bug bounty and concealed the breach from the FTC.
Uber paid $148 million to settle with all 50 states over concealed 2016 data breach
Uber reached a joint settlement with all 50 states and Washington D.C. to pay $148 million for the 2016 data breach affecting 57 million users and the subsequent year-long cover-up. California AG Xavier Becerra called it 'a blatant violation of the public's trust.'