57 million individuals' data stolen and technology company held to ransom


In November 2017, (new) CEO Dara Khosrowshahi disclosed a cyber attack suffered by the company in October 2016 which breached the personal information of 57 million customers and drivers. Khosrowshahi said "none of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes". For background, the company's former CEO had resigned in June 2017 due to the 'toxic' corporate culture he had overseen.

As part of the company's disclosure they revealed that the hackers responsible had been paid $100,000 to delete the data and keep the breach quiet. Subsequently, the company were accused of concealing the breach and criticised for failing to notify the individuals affected and regulators. In the fallout during 2017, two employees responsible for the 2016 incident response were fired by Khosrowshahi.

The company agreed to pay $148 million in a nationwide settlement for the data breach in September 2018 and later that same year, several European data protection agencies imposed fines for the breach.

In July 2022, the company entered into a non-prosecution agreement with the Federal Trade Commission (FTC) and officially accepted responsibility for hiding the data breach. They also agreed to cooperate in the prosecution of former chief security officer Joe Sullivan who is charged with obstruction of justice for trying to hide the data breach from the FTC, his case is scheduled to go to trial in September 2022.

Speak to the analyst

Want to discuss this case? We're offering a FREE 20 minute phone consultation to discuss this case and the implications it has for your organisation. Just select the time and date that works for you:


Courtenay Brammar

Experienced global enterprise risk and governance professional. Previously Vice President at Morgan Stanley, Deloitte Risk Advisory practitioner and PRMIA steering committee member in both London and New York.

Additional services

We offer a range of cost-effective, fixed-price training programmes and consultant services derived from the unique insights gained from all our case study data.

If you'd rather we did the heavy lifting in developing a cyber incident response plan or lessons learnt training for your organisation underpined by our unique insight into the challenges faced and strategies implemented by organisations countering today's cyber security threats then please contact us here.


  • Uber Technologies Inc.

We've done the analysis so you can make the decisions

When purchasing a minimum of 5 Case Studies
$699.99 if buying less than 5.

  • Detailed cause & effect analysis
  • Lessons learnt catalogued
  • Preventive controls extracted
Add to Cart
Heads up! Want to try before you buy? You can download our FREE demo case study here