In November 2017, the company's (new) CEO Dara Khosrowshahi disclosed a cyber attack suffered in October 2016 which breached the personal information of 57 million customers and drivers saying "none of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes". For background, the company's former CEO had resigned in June 2017 due to the 'toxic' corporate culture he had overseen.
As part of the disclosure the company revealed that the hackers responsible had been paid $100,000 to delete the data and keep the breach quiet. Subsequently, the company were accused of concealing the breach and criticised for failing to notify the affected individuals and regulators. In the fallout, two employees responsible for the 2016 incident response were fired.
The company agreed to pay a $148 million settlement in September 2018 and later that same year, several European data protection agencies also imposed fines related to this breach.
The company entered into a non-prosecution agreement with the Federal Trade Commission (FTC) in July 2022 and officially accepted responsibility for hiding the data breach. They also agreed to cooperate in the prosecution of their former chief security officer charged with obstruction of justice for trying to hide the data breach from the FTC.
In October 2022, the company's former chief information security officer was convicted of federal charges for hiding this breach in what WIRED described as "a rare criminal consequence for an executive’s handling of a hack". By May 2023, the CISO was sentenced to 3 years of probation, 200 hours of community service and ordered to pay a $50,000 fine resulting in observers questioning whether the sentence amounted to a slap on the wrist.
Want to discuss this case? You can purchase a 30 minute conference call with our analysts to discuss this case and the implications it has for your organisation. Just select the time and date that works for you: