The confidential data of 57 million customers and drivers was exposed as part of a settlement with the US Department of Justice.
According to a press release from the DOJ, in order to not be prosecuted for the cover-up, the company's personnel failed to report the November 2016 data breach to the FTC.
Hackers used stolen credentials to access a private source code repository and obtain a proprietary access key
The hackers used stolen credentials to access a private source code repository and obtained a proprietary access key which they used to access and copy large quantities of data associated with users and drivers.
It was only after the company publicly disclosed it that the data breach was revealed. The company paid $100,000 to the hackers in order to remove the data from their computer systems. The new CEO of the company admitted that the cover-up should not have occurred.
The breach was reported to the public, drivers, and government authorities after it was discovered. The decision not to prosecute the company was based on a number of factors. The civil litigation that was tied to the data breach was settled for over a hundred million dollars.
The company's leadership under Kalanick didn't learn of the breach until a month after it happened. The chief security officer at the time, Joe Sullivan, was fired by the company after he was involved in the cover-up. Sullivan was accused of trying to hide a data breach from the FTC. His case is going to go to trial.
The hack included names, email addresses, and phone numbers of more than 50 million riders worldwide, while more than 7 million drivers had the same data exposed.