Uber Technologies Inc on Friday accepted responsibility for covering up a 2016 data breach that affected 57 million passengers and drivers as part of a settlement with US prosecutors to avoid criminal charges.
In entering a non-prosecution agreement, Uber admitted that
its personnel failed to report the November 2016 hacking to the US Federal
Trade Commission, even though the agency had been investigating the
ride-sharing company's data security.
US Attorney Stephanie Hinds in San Francisco said Uber
waited about a year to report the breach after installing new executive
leadership who "established a strong tone from the top" regarding
ethics and compliance.
Hinds said the decision not to criminally charge Uber
reflected new management's prompt investigation and disclosures and Uber's 2018
agreement with the FTC to maintain a comprehensive privacy program for 20
years.
The San Francisco-based company is also cooperating with the
prosecution of a former security chief, Joseph Sullivan, over his alleged role
in concealing the hacking.
Uber did not immediately respond to requests for comment.
Sullivan was originally indicted in September 2020.
Prosecutors said Sullivan arranged to pay the hackers $100,000 in bitcoin and
have them sign nondisclosure agreements that falsely stated they had not stolen
data.
Uber had a bounty program designed to reward security
researchers who report flaws but not to cover up data thefts.
In September 2018, Uber paid $148 million to settle claims
by all 50 US states and Washington, DC, that it was too slow to disclose the
hacking.
Uber shares closed down 93 cents at $23.30 on Friday. The
non-prosecution agreement was disclosed after US markets closed.