The US Attorney’s Office for the Northern District of California recently announced that a non-prosecution agreement had been entered with Uber Technologies, Inc. to resolve allegations regarding the company’s efforts to cover up a 2016 data breach, which compromised the personal data of approximately 57 million consumers. In 2017, only after a new executive leadership team was installed was the incident discovered and reported to the affected customers and drivers, various law enforcement agencies and the Federal Trade Commission. In 2018, the ride-sharing company reached a record-breaking $148 million national settlement with the attorneys general of all 50 states and the District of Columbia to resolve claims resulting from the breach.
According to the Statement of Facts provided in the non-prosecution agreement, Uber admitted that it was first made aware of the 2016 breach only 10 days after Joseph Sullivan, Uber’s new Chief Security Officer at the time, testified before the FTC regarding a 2014 data breach that had occurred prior to his employment. On November 14, 2016, Sullivan received an email from hackers reporting a “major vulnerability in uber.” Within a day, Uber’s security team had discovered and repaired the system vulnerability and confirmed that there had been an unauthorized access of approximately 57 million user records. In the weeks that followed, the hackers demanded a six figure payment in exchange for deleting the data obtained, and the payment was made to the hackers under the auspices of Uber’s bug bounty program, which invites cyber experts to search for system vulnerabilities and receive payment if vulnerabilities are reported. Sullivan also allegedly instructed his team not to discuss the data breach. In addition, Uber confirmed that its employees were eventually able to identify and locate the two hackers who agreed to sign a non-disclosure agreement preventing them from revealing the 2016 breach.
In the non-prosecution agreement, federal prosecutors provided several reasons why the settlement with Uber was appropriate, the first being that Uber had accepted responsibility for its mishandling of the 2016 breach and had voluntarily disclosed the breach in 2017 while under new leadership. In addition, the USAO acknowledged that Uber’s new leadership team strengthened the culture of transparency and compliance after the breach; hired new executives to manage its global data privacy compliance program and terminated the two individuals who mismanaged incident.
Additional justifications for the settlement include Uber’s 2018 settlement with the FTC in which Uber not only agreed to maintain a comprehensive privacy program but also consented to the FTC conducting biennial assessments of Uber’s privacy controls for a period of 20 years and agreed to report to federal, state or local authorities any incident involving unauthorized access to consumer information. The USAO also took into consideration the $148 million settlement with state AGs which contained similar obligations to the FTC settlement, including Uber’s consent to a biennial assessment of its information security program for a period of 10 years.
The USAO also considered its own determination that an independent compliance monitor was unnecessary following the USAO’s examination of Uber’s current compliance program. In addition, the USAO cited Uber’s full cooperation provided early in the investigation and its agreement to continue its full cooperation with the USAO and the FBI regarding the pending matter against the company’s former Chief Security Officer.