> series: anatomy_of_a_breach —— part: 107 —— target: uber —— records: 57,000,000 —— concealment: 13_months —— paid_hackers: $100,000<span class="cursor-blink">_</span>_
On 21 November 2017, Uber disclosed that hackers had stolen the personal data of approximately 57 million riders and drivers — including names, email addresses, phone numbers, and for 600,000 US drivers, driver's licence numbers — in October 2016. The breach had occurred more than a year before the disclosure. Rather than reporting the breach to regulators and notifying affected individuals, Uber had paid the hackers $100,000 through its bug bounty programme, obtained their identities, had them sign non-disclosure agreements, and then concealed the breach from regulators, customers, and the public.
The cover-up was discovered by Uber's new CEO Dara Khosrowshahi, who had replaced Travis Kalanick in August 2017. Khosrowshahi disclosed the breach publicly, fired the CSO Joe Sullivan and a deputy who had managed the concealment, and engaged a former NSA lawyer to investigate. Sullivan was subsequently convicted of federal obstruction charges in October 2022 — the first criminal conviction of a corporate security executive for concealing a data breach. The Uber case established that covering up a breach is not just unethical — it is criminal.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping CallThe mechanism Uber used to conceal the breach was ingenious and deeply troubling: the $100,000 payment to the hackers was processed through Uber's legitimate bug bounty programme — a programme designed to reward security researchers for responsibly disclosing vulnerabilities. By framing the payment as a bug bounty reward rather than a ransom, Uber attempted to disguise the payment's true nature. The hackers were also required to sign non-disclosure agreements — legally binding them to silence about the breach they had committed.
The Uber case established three principles that every UK organisation must understand: first, concealing a data breach is criminal — Sullivan's conviction proved this. Second, bug bounty programmes must not be used to silence criminals — they are for rewarding legitimate researchers. Third, breach disclosure is not optional — UK GDPR requires notification within 72 hours, and concealment will be treated as an aggravating factor by regulators.
UK Cyber Defence provides incident response that includes regulatory notification guidance, ensuring organisations meet their disclosure obligations. Cloud configuration reviews identify the credential exposure that enabled the Uber breach. Cyber Essentials establishes baseline controls. And SOC in a Box provides the detection capability that enables prompt disclosure rather than belated discovery.
<a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides incident response including disclosure guidance. <a href="https://www.socinabox.co.uk">SOC in a Box</a> enables prompt detection. <a href="/penetration-testing/cloud-configuration-review">Cloud reviews</a> prevent credential exposure.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call