In 2016, Uber suffered a major data breach in which hackers accessed a third-party cloud service and stole personal data of 57 million users (drivers and riders), including names, email addresses, and phone numbers, as well as driver’s license numbers for 600,000 drivers. Instead of disclosing the incident to regulators (the US Federal Trade Commission) and affected individuals, Uber’s then-Chief Security Officer, Joseph Sullivan, orchestrated a cover-up. The company paid the hackers $100,000 in ransom (disguised as a bug bounty) to delete the data and keep the breach secret. The concealment lasted over a year, violating breach notification laws and leading to Sullivan’s 2023 conviction for obstruction of justice and mispriison of a felony (failure to report a crime). The breach exposed Uber to regulatory fines, reputational damage, and legal liabilities, while eroding trust among users and drivers. The case underscored the risks of non-compliance with data protection laws and the severe consequences of executive-level misconduct in cybersecurity incidents.
Uber cybersecurity rating report: https://www.rankiteo.com/company/uber-com
"id": "UBE4092840111225",
"linkid": "uber-com",
"type": "Breach",
"date": "6/2016",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '57 million (users and drivers '
'worldwide)',
'industry': 'Transportation (Ride-hailing)',
'location': 'San Francisco, California, USA',
'name': 'Uber Technologies, Inc.',
'size': 'Large (Publicly traded; global operations)',
'type': 'Corporation'}],
'attack_vector': 'Third-party credential compromise (GitHub repository '
'access)',
'customer_advisories': ['Delayed notification letters to affected '
'users/drivers (2017)',
'Credit monitoring offered to drivers whose license '
'numbers were exposed'],
'data_breach': {'data_encryption': 'No (data stored unencrypted in AWS)',
'data_exfiltration': 'Yes (data downloaded by attackers)',
'file_types_exposed': ['Databases', 'Log files'],
'number_of_records_exposed': '57 million (50 million riders, '
'7 million drivers)',
'personally_identifiable_information': 'Yes (names, emails, '
'phone numbers, '
'driver’s license '
'numbers)',
'sensitivity_of_data': 'High (includes government-issued IDs)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Driver’s license numbers']},
'date_detected': '2016-10-01',
'date_publicly_disclosed': '2017-11-21',
'description': 'Former Uber security chief Joseph Sullivan was convicted for '
'obstruction and misprision in concealing a 2016 data breach '
'from the US Federal Trade Commission (FTC). The appeals court '
'refused to hold a full panel rehearing on his conviction, '
'upholding the earlier ruling. The breach involved '
"unauthorized access to Uber's systems, exposing sensitive "
'user and driver data, which was subsequently concealed from '
'regulators and the public.',
'impact': {'brand_reputation_impact': 'Severe damage due to concealment of '
'breach and misleading public '
'statements; long-term erosion of trust',
'customer_complaints': 'Increased distrust and public backlash '
'following delayed disclosure',
'data_compromised': ['Personal data of 57 million Uber users and '
'drivers (names, email addresses, phone '
'numbers)',
'Driver’s license numbers for ~600,000 US '
'drivers'],
'identity_theft_risk': 'High (due to exposure of PII and driver’s '
'license numbers)',
'legal_liabilities': ['FTC settlement (2018) for $148 million',
'Criminal conviction of Joseph Sullivan '
'(2023) for obstruction and misprision',
'Potential class-action lawsuits'],
'operational_impact': 'Internal investigation and leadership '
'changes, including termination of Sullivan '
'and other executives',
'payment_information_risk': 'None reported',
'systems_affected': ['Uber’s AWS data storage',
'GitHub repositories']},
'initial_access_broker': {'data_sold_on_dark_web': 'No (data was downloaded '
'but not publicly leaked; '
'attackers paid to delete '
'it)',
'entry_point': 'Compromised credentials for Uber’s '
'private GitHub repository',
'high_value_targets': ['AWS S3 buckets containing '
'unencrypted user/driver '
'data']},
'investigation_status': 'Closed (legal proceedings concluded with Sullivan’s '
'conviction upheld in 2025; FTC settlement fulfilled)',
'lessons_learned': ['Transparency with regulators and the public is critical, '
'even in the face of reputational risk.',
'Paying hackers to conceal breaches can lead to severe '
'legal consequences (obstruction charges).',
'Third-party credential management and access controls '
'require rigorous oversight.',
'Executive accountability for cybersecurity failures '
'extends beyond technical teams.'],
'motivation': ['Financial Gain (extortion)', 'Cover-up of Security Failures'],
'post_incident_analysis': {'corrective_actions': ['FTC-mandated security '
'program with biennial '
'audits for 20 years.',
'Executive leadership '
'overhaul (including '
'termination of Sullivan '
'and CEO Travis Kalanick).',
'Implementation of data '
'encryption and stricter '
'access controls.',
'Public commitment to '
'transparency in future '
'incidents.'],
'root_causes': ['Inadequate access controls for '
'third-party code repositories '
'(GitHub).',
'Lack of encryption for sensitive '
'data stored in AWS.',
'Culture of concealment '
'prioritized over transparency '
'(e.g., misrepresenting hacker '
'payment as bug bounty).',
'Failure to comply with FTC’s 2017 '
'consent order requiring breach '
'disclosure.']},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_paid': '$100,000 (paid to hackers under false '
'pretenses, not ransomware)'},
'recommendations': ['Implement mandatory breach disclosure timelines aligned '
'with regulatory requirements (e.g., GDPR, CCPA).',
'Avoid paying attackers without law enforcement '
'involvement; follow established incident response '
'protocols.',
'Conduct regular third-party security audits, especially '
'for cloud storage and code repositories.',
'Train executives on legal obligations for breach '
'reporting and anti-obstruction laws.',
'Adopt a ‘privacy by design’ approach to data storage, '
'including encryption for sensitive PII.'],
'references': [{'date_accessed': '2025-11-12', 'source': 'MLex'},
{'date_accessed': '2023-10-06',
'source': 'U.S. Department of Justice - Press Release '
'(Sullivan Conviction)',
'url': 'https://www.justice.gov/usao-ndca/pr/former-uber-security-chief-convicted-federal-jury-obstruction-justice-and'},
{'date_accessed': '2018-04-12',
'source': 'FTC Settlement (2018)',
'url': 'https://www.ftc.gov/news-events/news/press-releases/2018/04/ftc-charges-uber-deceived-consumers-failed-protect-drivers-privacy'}],
'regulatory_compliance': {'fines_imposed': '$148 million (FTC settlement, '
'2018)',
'legal_actions': ['Criminal conviction of Joseph '
'Sullivan (2023) for obstruction '
'and misprision',
'FTC enforcement action'],
'regulations_violated': ['FTC Act (deceptive '
'practices)',
'State data breach '
'notification laws '
'(delayed disclosure)'],
'regulatory_notifications': ['Delayed notification '
'to FTC and affected '
'individuals (violated '
'FTC’s 2017 consent '
'order)']},
'response': {'communication_strategy': ['Initial concealment',
'Delayed public disclosure (November '
'2017)',
'Apologetic statements from new CEO '
'Dara Khosrowshahi'],
'containment_measures': ['Paid hackers $100,000 to delete data '
'and sign NDAs (misrepresented as bug '
'bounty)',
'Terminated access to compromised '
'repositories'],
'enhanced_monitoring': 'Implemented post-breach as part of FTC '
'settlement',
'incident_response_plan_activated': 'Yes (internally, but not '
'disclosed to regulators or '
'public promptly)',
'law_enforcement_notified': 'No (intentionally concealed from '
'FTC and other authorities)',
'remediation_measures': ['Enhanced access controls',
'Executive leadership changes',
'FTC-mandated security improvements '
'post-settlement'],
'third_party_assistance': ['Mandiant (forensic investigation)',
'External legal counsel']},
'stakeholder_advisories': ['FTC consent order (2018) mandated biennial audits '
'for 20 years',
'Public apologies from Uber’s leadership in 2017'],
'threat_actor': 'Hackers (unidentified; paid by Uber under the guise of a '
"'bug bounty' to delete data and stay silent)",
'title': 'Uber 2016 Data Breach Concealment and Legal Conviction of Former '
'Security Chief Joseph Sullivan',
'type': ['Data Breach', 'Regulatory Violation', 'Legal Conviction'],
'vulnerability_exploited': 'Poor access controls and credential management '
'for third-party code repositories'}