Uber recently made headlines for admitting that it entered into a non-prosecution agreement with federal prosecutors in the US as a way to cover up a data breach suffered by the company in 2016 that involved the leak of 57 million data records.

In the announcement made by U.S. Attorney Stephanie M. Hinds and Federal Bureau Special Investigating Agent in Charge Sean Ragan, it was stated that, in the agreement reached, the Uber admitted the failure and responsibility for the actions of its executives, employees, and agents in concealing the data breach. FTC (Federal Trade Commission).

The incident involved hackers stealing legitimate credentials to gain access to Uber's private source code repository, thereby stealing information on numerous drivers and passengers, resulting in the leak of 57 million user data and 600.000 driver's license numbers.

The violation was reported almost a year after the incident.

In 2016, when the intrusion occurred, the FTC already had an ongoing investigation into the company's security practices – an investigation that lasted from 2015 to 2017 – and the FTC had even requested, through written questions, information about any... unauthorized access to personal information from third parties.

The violation was not reported by Uber until almost a year after it occurred, when the company was already being managed by different leadership.

The new leadership, upon learning of the incident, investigated the violation and disclosed it to the affected drivers, the public, law enforcement, and regulators, including state attorneys general and the FTC.

The agreement took into account the stance of Uber's new leadership.

Several factors were taken into consideration in the new agreement recently presented, such as:

• The change in company management and the fact that, upon learning of the incident, the new management immediately began investigating, disclosed the information to the public, and informed the relevant authorities;
• The company has invested considerable resources in restructuring and improving its systems in order to prioritize compliance with laws that regulate data processing;
• Furthermore, in October 2018, after disclosing the 2016 data breach, Uber reached an agreement with the FTC, where the company agreed to maintain a privacy program for 20 years, reporting any and all incidents to the FTC.
• The new agreement demonstrates Uber's commitment to full cooperation with the government's investigation into this matter, including the criminal proceedings against Uber's former security director, Joe Sullivan, for his attempt to cover up the 2016 incident by disguising an extortion payment to hackers as a bug bounty.

At the time, Sullivan was accused of paying two hackers "$100.000 in secret money" to cover up the breach, and was indicted by a federal grand jury on charges of obstruction of justice for concealing a crime and three counts of wire fraud.

• Finally, it is important to note that Uber settled disputes with attorneys general from 50 states and the District of Columbia related to data breaches, paying $148 million, and also agreed to implement a program that prioritizes data security.

The new CEO "rewrote the company's values, restructured the leadership team, made safety a company priority, implemented best-in-class corporate governance, hired an independent chairman of the board, and installed the rigorous controls and compliance necessary to operate as a publicly traded company.""said Jill Hazelbaker, senior vice president of marketing and public relations, in a blog post."

Jill also said:"When we say that Uber is a different company today, we mean it literally: 90% of Uber's current employees joined after Dara became CEO."

The case continues to be prosecuted by the Corporate Fraud and Securities Section of the U.S. Attorney's Office and investigated by the FBI.