Skip to content
Cyber Breaches
Search
Data breachResolved

Uber 2016 data breach and cover-up

Attackers stole personal data on 57 million Uber riders and drivers in October 2016. Rather than disclose, Uber paid the hackers a $100,000 ransom and disguised it as a bug bounty — a cover-up that led to a $148 million multistate settlement and the criminal conviction of Uber's security chief.

Victim
Uber Technologies, Inc.
Loss
$148.0M
records
57.0M
users
57.0M
SectorTechnologyTransport
CountryUnited States
Named attackersBrandon GloverVasile Mereacre

On 21 November 2017, more than a year after the fact, Uber disclosed that attackers had stolen the personal data of 57 million riders and drivers in October 2016 — and that the company had paid the hackers $100,000 to keep quiet rather than report the breach. The incident became the defining case study in corporate breach cover-ups and the first U.S. prosecution of an executive for concealing one.

What happened

In October 2016, two attackers — later identified as Brandon Glover and Vasile Mereacre — gained access to a private Uber GitHub repository used by the company's engineers. Inside, they found Amazon Web Services credentials that were valid for Uber's cloud storage. Using those keys, they downloaded a backup archive containing rider and driver records.

The haul included the names, email addresses, and mobile phone numbers of roughly 57 million users worldwide, plus the driver's license numbers of around 600,000 U.S. drivers.

The cover-up

Instead of disclosing the breach to regulators and affected individuals — as required under data-breach notification laws, and while Uber was already under active FTC investigation over an earlier 2014 incident — Uber's security leadership chose concealment.

Chief Security Officer Joe Sullivan and his team paid the attackers $100,000 in bitcoin and had them sign non-disclosure agreements falsely attesting that no data had been taken. The payment was routed through Uber's HackerOne bug-bounty program to make it look like a routine security reward, even though the typical bounty ceiling at the time was a fraction of that sum.

The breach stayed hidden until new CEO Dara Khosrowshahi learned of it and went public in November 2017.

Impact

  • 57 million rider and driver records exposed, including 600,000 driver's license numbers.
  • A $148 million settlement in September 2018 with the attorneys general of all 50 U.S. states and the District of Columbia — at the time the largest multistate data-breach settlement on record.
  • An expanded FTC consent order requiring 20 years of privacy audits.
  • The two extortionists, Glover and Mereacre, pleaded guilty to federal computer-fraud charges in 2019.
  • CSO Joe Sullivan was criminally convicted in 2022 of obstructing the FTC and misprision of a felony, and sentenced to three years' probation plus a $50,000 fine — the first time a corporate security executive faced criminal liability for a breach cover-up.

Why it matters

The Uber case redrew the line between a security incident and a crime. The breach itself was unremarkable — leaked cloud credentials in a code repository, a pattern repeated across the industry. What made it historic was the decision to conceal it and dress up an extortion payment as a bug bounty. Sullivan's conviction sent an unambiguous message to every CISO: the duty to disclose is a legal obligation, not a discretionary call, and an executive who buries a breach can be held personally and criminally accountable.

Financial impact

Reported costs in USD

Total reported loss
148.0M
USD · $148,000,000
Ransom demanded
$100.0K
Ransom paid
$100.0K
  • Ransom paid$100.0K
  • Business loss$148.0M

Timeline

  1. Attackers access an Uber private GitHub repository, find AWS credentials, and download a backup containing data on 57 million riders and drivers.

  2. The attackers email Uber demanding payment. Uber's security team, led by CSO Joe Sullivan, pays $100,000 in bitcoin and has the hackers sign non-disclosure agreements.

  3. Uber disguises the payment as a 'bug bounty' award and does not notify regulators or affected users.

  4. New Uber CEO Dara Khosrowshahi publicly discloses the breach and the cover-up, more than a year after the fact.

  5. Uber agrees to an expanded settlement with the U.S. Federal Trade Commission over the breach and its handling.

  6. Uber settles with the attorneys general of all 50 states and Washington, D.C. for $148 million.

  7. Brandon Glover and Vasile Mereacre plead guilty to federal computer fraud charges for the extortion.

  8. A federal jury convicts former CSO Joe Sullivan of obstructing an FTC proceeding and misprision of a felony for concealing the breach.

Sources

  1. justice.govhttps://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach
  2. npr.orghttps://www.npr.org/2018/09/27/652119109/uber-pays-148-million-over-year-long-cover-up-of-data-breach
  3. ftc.govhttps://www.ftc.gov/news-events/news/press-releases/2018/04/uber-agrees-expanded-settlement-ftc-related-privacy-security-claims
  4. techtarget.comhttps://www.techtarget.com/searchsecurity/news/252525808/Former-Uber-CSO-Joe-Sullivan-found-guilty-in-breach-cover-up

Related incidents

Data breachRansom paid

Instructure Canvas LMS ShinyHunters breach (2026)

ShinyHunters exploited Canvas's Free-For-Teacher account programme to exfiltrate 3.65 TB of data spanning approximately 275 million users across nearly 9,000 schools — names, email addresses, student IDs, and some private messages between students and teachers. Instructure reportedly paid the ransom and the data was destroyed.

Victim
Instructure (Canvas LMS)
Loss
$10.0M
Records
275.0M