In 2016, Uber suffered a major **data breach** where hackers accessed and exfiltrated **57 million records**—including personal data of drivers (600,000 license numbers) and riders (names, email addresses, phone numbers). Instead of disclosing the incident, Uber’s then-Chief Security Officer (Joe Sullivan) **paid the attackers $100,000** under the guise of a bug-bounty program to delete the data and stay silent. The breach was concealed for over a year, violating U.S. laws (e.g., FTC consent decree) and leading to Sullivan’s **felony conviction** (2022) for obstruction and misprision. The incident exposed systemic failures in Uber’s **transparency, governance, and crisis response**, with the CEO (Travis Kalanick) allegedly complicit but uncharged. The fallout included **executive firings**, regulatory fines, reputational damage, and lasting scrutiny over Uber’s **ethical and legal compliance**. Sullivan’s case became a landmark in **CISO accountability**, highlighting how cover-ups can escalate consequences beyond the initial breach.
Source: https://www.theregister.com/2025/10/22/exuber_cso_joe_sullivan_interview/
TPRM report: https://www.rankiteo.com/company/uber-com
"id": "ube1503415102325",
"linkid": "uber-com",
"type": "Breach",
"date": "6/2016",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '57 million (users) + 600,000 '
'(drivers)',
'industry': 'Transportation (Ride-Sharing)',
'location': 'San Francisco, California, USA',
'name': 'Uber Technologies, Inc.',
'size': 'Large (Global operations)',
'type': 'Corporation'}],
'attack_vector': ['Social Engineering',
'Third-Party Compromise (likely)',
'Extortion'],
'customer_advisories': 'Delayed (breach disclosed publicly in 2017, over a '
'year after occurrence)',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '57.6 million (total)',
'personally_identifiable_information': 'Yes (names, email '
'addresses, phone '
'numbers, driver’s '
'license data)',
'sensitivity_of_data': 'High (PII, license numbers)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Driver’s license numbers',
'Email addresses',
'Phone numbers',
'Source code (alleged)']},
'date_detected': '2016',
'date_publicly_disclosed': '2017',
'description': 'In 2016, Uber suffered a significant data breach where '
'hackers accessed and exfiltrated sensitive user and driver '
'data. The breach was subsequently covered up by then-Chief '
'Security Officer (CSO) Joe Sullivan, who attempted to '
'disguise an extortion payment to the hackers as a bug-bounty '
'reward. Sullivan was later convicted of two felonies related '
'to the cover-up in 2022, marking the first time a '
'high-profile CSO was criminally charged for mishandling a '
'data breach response. The incident highlighted systemic '
'issues in corporate accountability, cybersecurity culture, '
'and the pressures faced by security executives. Sullivan was '
'sentenced to three years of probation and 200 hours of '
"community service, while Uber's then-CEO Travis Kalanick "
'faced no charges despite alleged involvement in the '
'decision-making process.',
'impact': {'brand_reputation_impact': 'Severe (public backlash, regulatory '
'scrutiny, leadership changes)',
'data_compromised': ['User data (57 million records)',
'Driver data (600,000 records)',
'Source code (alleged)'],
'identity_theft_risk': 'High (PII of users and drivers exposed)',
'legal_liabilities': ['Felony convictions for Joe Sullivan (CSO)',
'No charges for Travis Kalanick (CEO)',
'Potential regulatory fines for Uber']},
'initial_access_broker': {'data_sold_on_dark_web': 'Unconfirmed (data was '
'exfiltrated but not '
'publicly leaked)',
'high_value_targets': ['User databases',
'Driver databases',
'Potential source code']},
'investigation_status': "Closed (legal proceedings ongoing for Joe Sullivan's "
'appeal)',
'lessons_learned': ['Corporate culture and CEO accountability are critical in '
'cybersecurity incident response.',
'Covering up breaches can lead to severe legal and '
'reputational consequences, even for executives.',
'Cybersecurity risks have evolved from data breaches to '
'operational disruptions (e.g., ransomware shutting down '
'factories).',
'CISOs/CSOs face disproportionate blame and career risks, '
"often becoming 'scapegoats' for systemic failures.",
'Gaming culture and cybercriminal grooming contribute to '
'the rise of young hackers (e.g., Scattered Spider).',
'Transparency and timely disclosure are essential to '
'compliance and trust.'],
'motivation': ['Financial Gain (extortion)', 'Data Theft'],
'post_incident_analysis': {'corrective_actions': ['Uber implemented stricter '
'data protection measures '
'post-FTC settlement.',
'Joe Sullivan’s case '
'prompted discussions on '
'CISO accountability and '
'legal protections.',
'Increased scrutiny of '
'executive roles in '
'cybersecurity governance.',
'Uber’s subsequent '
'leadership changes (e.g., '
'Dara Khosrowshahi replaced '
'Travis Kalanick as CEO).'],
'root_causes': ['Lack of transparency in breach '
'response',
'CEO and leadership culture '
'prioritizing secrecy over '
'compliance',
'Inadequate incident response '
'planning',
'Misalignment between legal, '
'security, and executive teams',
'Failure to notify regulators and '
'affected individuals in a timely '
'manner']},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': '$100,000 (extortion payment)',
'ransom_paid': 'Yes ($100,000, disguised as bug bounty)'},
'recommendations': ['Boards and CEOs must take shared responsibility for '
'cybersecurity, not delegate blame solely to security '
'leaders.',
'Companies should invest in operational resilience to '
'mitigate risks like ransomware-induced shutdowns.',
'Legal and ethical frameworks for breach disclosure must '
'be clearly defined and enforced.',
'Security leaders should document decision-making '
'processes to protect against unfair scapegoating.',
'Organizations should address the root causes of burnout '
'and unrealistic expectations for CISOs/CSOs.',
'Early intervention and education are needed to deter '
'young individuals from cybercrime (e.g., gaming '
'community risks).'],
'references': [{'source': 'The Register',
'url': 'https://www.theregister.com'},
{'source': 'U.S. Department of Justice (Joe Sullivan Case)',
'url': 'https://www.justice.gov'},
{'source': 'FTC Uber Settlement (2018)',
'url': 'https://www.ftc.gov/news-events/news/press-releases/2018/04/ftc-charges-uber-deceived-consumers-failed-protect-drivers-privacy'}],
'regulatory_compliance': {'fines_imposed': '$148 million (FTC settlement, '
'2018)',
'legal_actions': ['Felony convictions for Joe '
'Sullivan (2022)',
'No charges for Uber executives '
'beyond Sullivan and Craig Clark '
'(Legal Director)'],
'regulations_violated': ['Potential violations of '
'state data breach '
'notification laws (e.g., '
'California)',
'Federal Trade Commission '
'(FTC) settlement (2018) '
'for $148 million'],
'regulatory_notifications': 'Delayed (breach '
'concealed for over a '
'year)'},
'response': {'communication_strategy': 'Deceptive (breach concealed for over '
'a year)',
'containment_measures': ['Payment to hackers ($100,000 disguised '
'as bug bounty)',
'Non-disclosure of breach'],
'incident_response_plan_activated': 'Yes (but mishandled)',
'law_enforcement_notified': 'No (intentionally concealed)'},
'threat_actor': ['Unnamed hackers (paid $100,000 extortion)',
'Potential ties to cybercriminal networks'],
'title': 'Uber 2016 Data Breach and Cover-Up',
'type': ['Data Breach', 'Extortion', 'Cover-Up']}