Uber Avoids Federal Prosecution Over 2016 Breach of Data on 57M Users
"Uber has officially accepted responsibility for hiding a 2016 data breach that exposed the data of 57 million passengers and drivers..." reports Engadget. Reuters explains this acknowledgement "was part of a settlement with U.S. prosecutors to avoid criminal charges."In entering a non-prosecution agreement, Uber admitted that its personnel failed to report the November 2016 hacking to the U.S. Federal Trade Commission [for nearly one year], even though the agency had been investigating the ride-sharing company's data security... U.S. Attorney Stephanie Hinds in San Francisco said the decision not to criminally charge Uber reflected new management's prompt investigation and disclosures, and Uber's 2018 agreement with the FTC to maintain a comprehensive privacy program for 20 years. The San Francisco-based company is also cooperating with the prosecution of a former security chief, Joseph Sullivan, over his alleged role in concealing the hacking. Here's what the Department of Justice is now alleging against that security chief (as summarized by Reuters last month: "he arranged to pay money to two hackers in exchange for their silence, while trying to conceal the hacking from passengers, drivers and the U.S. Federal Trade Commission." That's led to three separate wire fraud charges against the former security chief, as well as two charges for obstruction of justice.The defendant was originally indicted in September 2020, and is believed to be the first corporate information security officer criminally charged with concealing a hacking. Prosecutors said Sullivan arranged to pay the hackers $100,000 in bitcoin, and have them sign nondisclosure agreements that falsely stated they had not stolen data. Uber had a bounty program designed to reward security researchers who report flaws, not to cover up data thefts.... In September 2018, the San Francisco-based company paid $148 million to settle claims by all 50 U.S. states and Washington, D.C. that it was too slow to reveal the hacking.
Read more of this story at Slashdot.