Uber Data Breach Cover-Up
Hackers stole data on 57 million users and 600,000 drivers. Rather than disclosing the breach, Uber secretly paid the attackers $100,000 disguised as a bug bounty, covering it up for over a year.
Background
In 2016, Uber was already under intense scrutiny for its business practices and culture. When two hackers stole a massive trove of user and driver data, the company's leadership made the decision to conceal the breach entirely rather than notify regulators and affected individuals as required by law.
The Attack
Attackers accessed a private GitHub repository used by Uber engineers, found AWS credentials stored in the code, and used them to download a database backup containing names, emails, and phone numbers of 57 million users and driver's license information for 600,000 drivers. They demanded $100,000 in ransom. Uber paid the ransom and had the hackers sign NDAs.
Response
The cover-up was exposed in November 2017 when a new Uber CISO reviewed the incident. Uber CEO Dara Khosrowshahi disclosed the breach publicly and fired the security executives responsible. The company cooperated with regulators and law enforcement.
Outcome
Uber's former Chief Security Officer Joe Sullivan was convicted of obstruction of justice and concealing a felony — a landmark criminal conviction of a tech executive for breach cover-up. Uber paid $148 million in a multistate settlement. The incident became a landmark case for breach notification requirements and executive accountability.
Key Takeaways
- Credentials must never be stored in source code, even private repositories
- Covering up a data breach is a criminal offense, not a PR strategy
- Bug bounty programs require strict controls to prevent ransom laundering
- Security executives bear personal legal liability for cover-ups
- Breach notification laws exist to protect individuals — compliance is not optional