Uber has settled with the US Department of Justice over its cover-up of a November 2016 data breach.
The ride-sharing giant has agreed to help the DoJ prosecute its former chief security officer Joseph Sullivan in exchange for escaping prosecution itself.
The settlement stems from a breach that exposed 57 million users’ data, including both passengers and drivers. The intruders accessed a private source code repository and stole an access key, using it to steal the data. The company reportedly agreed to pay off the perpetrators in addition to concealing the breach from the Federal Trade Commission (FTC), which was already investigating its security practices at the time.
In November 2017, after the departure of former CEO Travis Kalanick and new CEO Dara Khosrowshahi at the helm, Uber informed the FTC and fired Sullivan. In 2018, it settled with the Commission, agreeing to maintain a privacy program that included external audits. It also settled litigation with all 50 states, paying $148m.
The DoJ took criminal action against Sullivan in August 2020 for obstruction of justice and concealing a felony. It issued new charges in December 2021 for wire fraud, for failing to warn Uber drivers that their drivers’ licenses had been exposed. Uber has already been cooperating with this prosecution and will continue under the terms of the latest settlement. The company has agreed to provide any material and witnesses to help the DoJ prosecute Sullivan.
In return, Uber and its affiliates escape any prosecution related to the 2016 data breach.
Ilia Kolochenko, founder of ImmuniWeb and a member of the Europol Data Protection Experts Network, warned that Uber could still face private civil litigation. “To void such undesirable situations, companies should take privacy and data breaches seriously, considering their duties and obligations under all applicable laws and regulations,” he said. “Having a well-thought-out data breach response plan in place that would include, among other things, swift interaction with internal and external legal teams, media and investors, is crucial to minimize reputational and financial damage of unpreventable data breaches. The close collaboration of technical and legal experts is the next big thing in cybersecurity.”
Sullivan, who now works as chief security officer at Cloudflare, is also a former federal prosecutor. From 2000-2002 he worked as an assistant US attorney in the Northern District of California, where he will be tried in September. Yesterday, he stated that he will be taking leave from work to prepare for the trial.