In order to avoid criminal prosecution, Uber Technologies Inc. agreed to a settlement with US prosecutors on Friday and took responsibility for concealing a 2016 data breach that affected 57 million users and drivers.
In a non-prosecution agreement, Uber acknowledged that its staff neglected to notify the US Federal Trade Commission of the attack in November 2016 even though the agency was looking into the ride-sharing company’s data security.
After appointing new executive leadership that “set a strong tone from the top” about ethics and compliance, U.S. Attorney Stephanie Hinds in San Francisco claimed that Uber waited approximately a year to notify the breach.
Hinds claimed that Uber’s 2018 agreement with the FTC to maintain a thorough privacy program for 20 years and new management’s swift inquiry and disclosures were key factors in the decision not to prosecute the company.
Additionally, the San Francisco-based business is helping the prosecution of Joseph Sullivan, a former security head, for allegedly helping to cover up the breach.
Requests for response from Uber were not immediately answered.
In September 2020, Sullivan was initially charged. According to the prosecution, Sullivan arranged for the hackers to receive $100,000 in Bitcoin and sign non-disclosure agreements that falsely claimed they had not taken any data.
Uber has a bounty scheme that was intended to encourage security experts to expose holes rather than to hide data thefts.
In September 2018, Uber agreed to pay $148 million to resolve charges that it took too long to reveal the hacking from all 50 US states and Washington, D.C.
On Friday, Uber stock dropped 93 cents to settle at $23.30. After U.S. markets had closed, the non-prosecution agreement was made public.
