Uber's $100,000 Cover-Up: How Hiding a 57-Million-User Breach Became a Federal Crime
In 2016, hackers stole personal data on roughly 57 million Uber riders and drivers. Instead of disclosing it, Uber's security chief paid the hackers $100,000 to sign an NDA and delete the data, concealing the breach from regulators for about a year. The cover-up led to a $148 million state settlement, an FTC consent order, and the first criminal conviction of a corporate security executive for a breach cover-up.
In 2016, Uber's security team discovered that hackers had stolen personal data on roughly 57 million riders and drivers worldwide โ and instead of disclosing the breach, the company's own chief security officer arranged to pay the hackers $100,000 to delete the data and sign a false non-disclosure agreement. The underlying hack was Uber's second embarrassing security lapse in two years; the decision to hide it, made while the company was already under active investigation by the Federal Trade Commission over an earlier breach, is what turned an IT failure into a felony case โ culminating in 2022 in the first criminal conviction of a corporate security executive for concealing a data breach from regulators.
What happened
Uber's breach problem actually started two years earlier. In September 2014, hackers stole personal information โ including names and driver's license numbers โ on about 50,000 Uber drivers, according to the U.S. Department of Justice. Uber reported that incident to the Federal Trade Commission in February 2015, which opened an investigation into the company's data security practices; as part of that inquiry, then chief security officer Joe Sullivan gave testimony to FTC investigators in early November 2016 describing the security program he had built.
Ten days later, on November 14, 2016, Sullivan learned Uber had been breached again โ far more seriously. Two hackers had reportedly used a credential-stuffing attack to reach a private GitHub repository used by Uber engineers, found AWS access keys hard-coded inside it, and used those keys to reach a cloud storage bucket holding rider and driver records, according to reporting from CyberScoop and TechTarget. The data taken reportedly included names, emails, and phone numbers for around 50 million riders worldwide, plus records on about 7 million drivers โ including roughly 600,000 U.S. driver's license numbers, per the Department of Justice and NPR.
Rather than notify the FTC โ which was actively investigating Uber's security practices at that very moment โ or the affected users, Sullivan arranged to pay the two hackers $100,000 in bitcoin through Uber's bug bounty program, on condition that they sign an NDA falsely stating they had not obtained or stored any data, according to the Department of Justice's account of the case. Then-CEO Travis Kalanick was reportedly told about the breach around this time, though he was never criminally charged; prosecutors' case centered on Sullivan's personal role in concealing the incident from investigators.
The cover-up held for about a year. Uber's board learned of it during a due-diligence review tied to Kalanick's ouster as CEO in mid-2017, and in November 2017 new CEO Dara Khosrowshahi publicly disclosed the breach for the first time, firing Sullivan and an attorney who had helped manage the response, per NPR's reporting at the time.
The legal reckoning came in stages. In April 2018, Uber settled with the FTC, agreeing to expanded oversight of its data security practices. That September, attorneys general of all 50 states and DC announced a $148 million settlement โ then the largest multistate breach settlement on record โ over the delayed disclosure, per the New York Attorney General's office and NPR. Prosecutors separately charged Sullivan himself, and on October 5, 2022, a jury in the Northern District of California convicted him of obstruction of an FTC proceeding and misprision of a felony, per the Department of Justice. He was sentenced in May 2023 to three years of probation, 200 hours of community service, and a $50,000 fine โ avoiding prison, but leaving behind the first criminal conviction of a corporate security executive over how a breach was handled.
The mistake, dissected
The technical failure โ hardcoded AWS keys in a private GitHub repo, no mandatory multi-factor authentication on developer accounts โ was ordinary and depressingly common; plenty of companies have had a version of it and survived with a fine and an apology. What made Uber's case different, and what turned it criminal, was routing a $100,000 hush payment through the company's legitimate bug bounty program and papering it with a false NDA, at the exact moment Uber was under a live FTC investigation into whether its security promises were honest. That combination converted a security incident into an act of obstruction: prosecutors argued, and a jury agreed, that disguising a payoff to hackers as a bounty reward was a deliberate attempt to keep regulators and 57 million affected people in the dark, not an unfortunate judgment call.
There was also a structural failure. The same team that had just testified to the FTC about Uber's security posture was the team deciding, largely alone, whether to tell the FTC about a new incident that contradicted that testimony. Sullivan had both the incentive to make the problem disappear quietly and the authority to do so โ approving the payment, shaping the NDA, and keeping the matter out of wider legal review until Kalanick's ouster forced a due-diligence process to surface it. Nothing in Uber's process required an independent check before a breach involving tens of millions of records could simply be paid away.
Why smart founders fall for it
Disclosing a breach feels like handing the world a stick to beat you with โ a headline, a valuation hit, a regulator's attention, right when you'd rather be talking about growth. Paying a hacker to quietly delete the data and sign away liability looks, in the moment, like the cheaper and faster option: no public disclosure, no notification costs, no immediate story. Founders and executives used to treating problems as things to be engineered around โ rather than legal events with mandatory next steps โ reach for that same instinct here, especially under active regulatory scrutiny, where any admission feels like it will be used against the company. The math only works if the concealment holds forever; the moment it doesn't, the cover-up becomes a far bigger liability than the breach ever was, because regulators and courts punish concealment far more severely than they punish getting hacked in the first place.
The principle
A data breach is a security failure; hiding one from regulators and users is a legal and ethical choice, made by named individuals, carrying its own consequences that are usually worse than the breach itself. Security incidents are common and, within limits, forgivable โ regulators and the public generally distinguish between a company that got hacked and disclosed promptly and one that got hacked and lied about it. The moment a breach response starts running through the same channel as public relations and litigation strategy, rather than through mandatory legal notification obligations, a company has stopped managing a security incident and started managing a cover-up โ and cover-ups have a failure mode plain breaches don't: they can turn an executive's job into a criminal indictment.
How to avoid it
Breach response needs a process a scared or self-interested executive cannot unilaterally override: legal counsel with a statutory notification checklist, a board reporting line independent of whoever is implicated, and a hard rule that any payment to an intruder โ however it gets labeled internally โ is treated as exactly what it is.
| Warning sign | What it looks like | What to do instead |
|---|---|---|
| The team already under regulatory scrutiny controls the breach response | The security chief who just testified to a regulator alone decides whether to disclose a new, related incident | Route breach decisions through legal/compliance with a reporting line independent of whoever is implicated |
| Hacker payments are routed through unrelated programs | A hush payment is logged as a โbug bountyโ reward instead of an incident-response cost | Track incident-response payments separately from bounty programs; require legal sign-off before any payment to an intruder |
| No hard trigger for mandatory disclosure | Disclosure timing is treated as a PR judgment call rather than a legal deadline | Build a breach-notification runbook keyed to statutory deadlines (state law, FTC/SEC rules), not to sentiment |
| The board isn't told until something forces it | Board and outside counsel learn of a breach only via unrelated events, such as a later due-diligence review | Require board and outside counsel notification within a fixed window of any confirmed breach involving personal data |
| NDAs suppress facts, not just secure a return of data | A settlement or NDA with an intruder contains representations the company knows are false | Never draft or sign an NDA containing statements known to be false; treat it as a legal document carrying personal liability |
Frequently Asked Questions
Did Uber's CEO know about the cover-up?
Reporting at the time, including from the Washington Post and NPR, indicates then-CEO Travis Kalanick was made aware of the breach and hacker payment around November 2016, while still running the company. Kalanick was never criminally charged; the Department of Justice's case focused specifically on former Chief Security Officer Joe Sullivan's personal role in concealing the incident from the FTC and directing the payment and NDA.
Was Joe Sullivan sent to prison?
No. After a federal jury convicted Sullivan on October 5, 2022 of obstruction of an FTC proceeding and misprision of a felony, he was sentenced on May 4, 2023 to three years of probation, 200 hours of community service, and a $50,000 fine, per the Department of Justice โ not incarceration. Commentators noted the sentence was lighter than prosecutors sought, but the conviction was historic as the first criminal case against a corporate executive over how a data breach was handled.
How is this different from a typical data breach settlement?
Most data breach cases settle as civil and regulatory matters โ fines, consent decrees, consumer settlements โ brought against the company itself, as with Uber's own $148 million multistate settlement and its FTC consent order. What made the Sullivan case unusual is that federal prosecutors pursued criminal charges against an individual executive personally, for actively concealing and lying about a breach during an active government investigation, rather than for the breach occurring in the first place.
Sources
This account draws on official filings and contemporaneous reporting, including: the U.S. Department of Justice, Northern District of California (justice.gov), on Sullivan's conviction and sentencing; NPR's coverage of the breach disclosure and $148 million multistate settlement; the New York Attorney General's press release on that settlement; the Washington Post's reporting on Sullivan's conviction; and CyberScoop's and TechTarget's reporting on how the 2016 intrusion occurred.
Treating a data breach like a public-relations problem to manage quietly, instead of a legal event with mandatory next steps, is how a hack becomes a felony.
โ alokknight Engineering
