SAN FRANCISCO (CN) — In exchange for cooperating with a federal investigation, the U.S. Department of Justice will not prosecute Uber for covering up a 2016 data breach, officials announced late Friday.
The non-prosecution agreement says Uber accepted responsibility for failing to immediately report the data breach to the Federal Trade Commission.
Two hackers gained access to an Uber-owned Amazon web server in 2016, making off with 57 million riders and drivers’ personal information, including 600,000 drivers’ license numbers.
Uber didn’t admit that hackers stole the accounts until a year later, in November 2017, after CEO Travis Kalanick stepped down and was replaced by Dara Khosrowshahi.
Vasile Mereacre, 23, of Toronto, and Brandon Glover, 26, of Florida, pleaded guilty to the hack in October 2019.
The ride-hail company fired its security chief Joe Sullivan and one of his deputies for their roles in covering up the hack, which included a $100,000 payout to Mereacre and Glover in exchange for deleting the stolen data and keeping quiet. Sullivan allegedly funneled the bitcoin payment through Uber’s “bug-bounty” program, through which “white hat” hackers are paid to search for and report security flaws.
Sullivan was charged in 2020 with obstruction and failing to report a felony to authorities. Three wire fraud counts were added in 2021. U.S. District Judge William Orrick, who is overseeing the case, refused to dismiss the additional charges in June.
Though they originally refused to provide their real names, prosecutors say Sullivan tried to get the hackers to sign non-disclosure agreements that said they did not steal any data.
Uber’s non-prosecution deal with the feds requires the company to continue cooperating with the U.S. attorney’s investigation of the breach and its prosecution of Sullivan, whose criminal trial is scheduled to start in early September in the Northern District of California. This includes turning over documents relevant to the case and allowing company executives to meet with prosecutors
The FTC learned in 2018 that Uber had hidden the breach from its investigators, a year after it settled claims over the company’s failure to live up to promises that its customers’ data was secure. As a result, the settlement was expanded to subject Uber to civil penalties if it ever again deceives the FTC about future breaches.
Uber also agreed to pay $148 million in penalties in a multistate settlement in 2018.
Uber did not respond to a request for comment late Friday.
Follow @MariaDinzeo
Subscribe to Closing Arguments
Sign up for new weekly newsletter Closing Arguments to get the latest about ongoing trials, major litigation and hot cases and rulings in courthouses around the U.S. and the world.
