In November 2017, (new) CEO Dara Khosrowshahi disclosed a cyber attack suffered by the company in October 2016 which breached the personal information of 57 million customers and drivers. Khosrowshahi said "none of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes". For background, the company's former CEO had resigned in June 2017 due to the 'toxic' corporate culture he had overseen.
As part of the company's disclosure they revealed that the hackers responsible had been paid $100,000 to delete the data and keep the breach quiet. Subsequently, the company were accused of concealing the breach and criticised for failing to notify the individuals affected and regulators. In the fallout during 2017, two employees responsible for the 2016 incident response were fired by Khosrowshahi.
The company agreed to pay $148 million in a nationwide settlement for the data breach in September 2018 and later that same year, several European data protection agencies imposed fines for the breach.
In July 2022, the company entered into a non-prosecution agreement with the Federal Trade Commission (FTC) and officially accepted responsibility for hiding the data breach. They also agreed to cooperate in the prosecution of former chief security officer Joe Sullivan who is charged with obstruction of justice for trying to hide the data breach from the FTC, his case is scheduled to go to trial in September 2022.
Want to discuss this case? We're offering a FREE 20 minute phone consultation to discuss this case and the implications it has for your organisation. Just select the time and date that works for you:
If you'd rather we did the heavy lifting in developing a cyber incident response plan or lessons learnt training for your organisation underpined by our unique insight into the challenges faced and strategies implemented by organisations countering today's cyber security threats then please contact us here.