Uber Technologies Inc on Friday accepted responsibility for covering up a 2016 data breach that affected 57 million passengers and drivers, as part of a settlement with U.S. prosecutors to avoid criminal prosecution.
In reaching a non-prosecution agreement, Uber admitted that its staff had not reported the November 2016 hack to the US Federal Trade Commission, even though the agency had investigated the security of the company’s data. carpooling.
U.S. attorney Stephanie Hinds in San Francisco said Uber waited about a year to report the breach, after installing new executive leadership that “set a strong tone from the top” regarding ethics and compliance. compliance.
Hinds said the decision not to charge Uber reflected new management’s prompt investigation and disclosures, as well as Uber’s 2018 agreement with the FTC to maintain a comprehensive privacy program for 20 years.
The San Francisco-based company is also cooperating with the prosecution of a former security chief, Joseph Sullivan, for his alleged role in covering up the hack.
Uber did not immediately respond to requests for comment.
Sullivan was originally charged in September 2020. Prosecutors said Sullivan arranged to pay the hackers $100,000 in bitcoins and have them sign nondisclosure agreements falsely stating that they had not stolen any data.
Uber had a bounty program designed to reward security researchers who report vulnerabilities, but not to cover data breaches.
In September 2018, Uber paid $148 million to settle claims from all 50 US states and Washington, DC that it was too slow to disclose the hack.
Uber shares closed 93 cents at $23.30 on Friday. The non-prosecution agreement was disclosed after US markets closed.
(Reporting by Jonathan Stempel in New York; Editing by Leslie Adler)