Uber has avoided criminal charges from U.S. prosecutors by accepting responsibility for its 2016 cover up of a data breach that affected 57 million passengers and drivers.
According to a Reuters report, the company has admitted fault for its failure to report the 2016 data breach caused by hackers to the U.S. Federal Trade Commission, and has entered into a non-prosecution agreement. That same year, Uber was being investigated by the FTC over its data security.
Uber waited a year to report the breach, according to the U.S. Attorney in San Francisco, Stephanie Hinds. They reported the hack after new executive leadership was hired to establish a “strong tone from the top” vis-a-vis ethics and compliance.
The Attorney’s office said that they had decided not to pursue criminal charges as the new leadership had been prompt in investigating breaches and being transparent with disclosures. The decision was bolstered by an agreement between Uber and the FTC signed in 2018 which would require the company to maintain an extensive privacy program.
Also Read: What are the Uber Files?
The company is no stranger to run-ins with the FTC. Most recently, Uber has been cooperating in the investigation into its former head of security, Joseph Sullivan, who allegedly paid off hackers to conceal their hacking of the company’s data.
According to the suit, Sullivan paid off two unknown hackers $100,000 in bitcoin and made them sign non-disclosure agreements which falsely stated that they had not stolen data. Sullivan was originally indicted in September 2020. His move comes across as even more perplexing given that Uber runs a bounty program for security researchers, paying them for discoveries of any flaws in their systems.
Also Read: Uber’s messy journey: A timeline
Uber has had a rocky last few years as it has shuttered headquarters in China and sold off divisions in an effort to staunch losses. Despite this, the company has been consistently been in court for its data breaches. In 2018, the company paid $148 million to all U.S. states for its delay in informing them about hacking.