In October 2016, two hackers discovered hardcoded AWS access credentials in a private GitHub repository used by Uber engineers. They used these credentials to access an Amazon S3 bucket containing the personal data of 57 million Uber users and 600,000 drivers.
Key Facts
- WhatHackers found AWS keys in GitHub; Uber's CSO paid $100K hush money via bug bounty.
- Who57 million Uber users and 600,000 drivers.
- Data ExposedNames, emails, phone numbers, and driver's license numbers.
- OutcomeCSO convicted of federal obstruction; $148M state settlement.
What Was Exposed
- Names, email addresses, and phone numbers for approximately 57 million Uber riders and drivers worldwide
- Driver’s license numbers for approximately 600,000 U.S.-based Uber drivers
- Internal Uber database records including trip metadata and account details
- AWS access credentials and internal code repositories that enabled the initial compromise
The exposure of 600,000 driver’s license numbers was particularly significant because driver’s licenses serve as primary government-issued identification in the United States. Unlike credit card numbers, which can be quickly cancelled and reissued, driver’s license numbers are difficult to change and are widely used for identity verification.
For the 57 million riders, the combination of names, email addresses, and phone numbers created a comprehensive contact dataset useful for phishing, social engineering, and credential stuffing attacks.
The Cover-Up: Anatomy of Obstruction
What elevates the Uber breach from a serious but conventional security incident to a landmark case in corporate cybersecurity law is not the breach itself but the deliberate, sustained cover-up that followed.
In November 2016, Uber was in the middle of active settlement negotiations with the Federal Trade Commission over a separate 2014 data breach. The FTC had issued detailed interrogatories and document requests to Uber, and Sullivan himself had provided sworn testimony to the FTC about Uber’s data security practices just days before learning of the new breach.
The FTC’s investigation specifically concerned Uber’s ability to protect user data-making the concealment of a new, far larger breach directly relevant to the ongoing proceeding.
Upon learning of the 2016 breach in November, Sullivan and his team devised a strategy to conceal the incident. Rather than reporting the breach to the FTC, law enforcement, or affected individuals, Sullivan directed the payment of $100,000 in bitcoin to the two hackers. The payment was routed through Uber’s HackerOne bug bounty program to create the appearance of a legitimate vulnerability disclosure reward.
The hackers were required to sign non-disclosure agreements that falsely stated they had not obtained or stored any Uber data. Sullivan also directed his team to track down the identities of the hackers-which they eventually did, identifying Brandon Glover and Vasile Mereacre. Rather than reporting them to law enforcement, this information was used as additional leverage to ensure their silence. The hackers were required to re-sign the NDAs under their real names.
The cover-up persisted for over a year. During this time, Sullivan continued to engage with the FTC regarding the 2014 breach investigation without disclosing the 2016 incident. In August 2017, Uber’s board approved a consent decree with the FTC that included commitments about Uber’s data security practices-a decree negotiated while the undisclosed 2016 breach remained active.
The concealment unraveled in November 2017, when Uber’s new CEO Dara Khosrowshahi, who had replaced Travis Kalanick in August 2017, was informed of the breach during an internal investigation. Khosrowshahi disclosed the breach publicly on November 21, 2017, and fired Sullivan and a deputy.
Regulatory Analysis
FTC Act Section 5: The FTC’s enforcement centered on Uber’s deceptive practices regarding data security. The concealment of the 2016 breach while actively negotiating with the FTC over the 2014 breach constituted a material misrepresentation. By failing to disclose the new breach, Uber effectively deceived the FTC about the state of its data security program during the very period the agency was evaluating those practices.
The FTC expanded the existing consent order to include the 2016 breach, imposing 20 years of mandatory security audits, biennial third-party assessments, and requirements to notify the FTC of any future breaches within specified timeframes.
State Breach Notification Laws: The 2016 breach triggered notification obligations under the data breach notification statutes of all 50 states. By concealing the breach for over a year, Uber violated these obligations in every state where affected consumers resided.
The 50-state attorney general coalition extracted a $148 million settlement-the largest data breach settlement by state attorneys general at the time. The settlement required Uber to implement a comprehensive data security program, maintain a corporate integrity program, and submit to regular third-party assessments.
18 USC 1505 (Obstruction of Federal Proceedings): Sullivan was charged under the federal obstruction statute for concealing the breach from the FTC during an active investigation. The prosecution argued that Sullivan’s failure to disclose the 2016 breach to the FTC, while actively participating in the agency’s investigation of the 2014 breach, constituted obstruction of a pending federal proceeding. The jury agreed, finding Sullivan guilty in October 2022.
18 USC 4 (Misprision of Felony): Sullivan was also convicted of misprision of felony-the crime of knowing about a felony and actively concealing it from authorities. The hackers’ unauthorized access to Uber’s systems and theft of personal data constituted federal computer fraud felonies. Sullivan’s knowledge of these crimes and affirmative steps to conceal them through the disguised bug bounty payment and NDAs met all elements of misprision.
Sentencing and Precedent: In May 2023, Sullivan was sentenced to three years of probation and a $50,000 fine. While the sentence was lighter than prosecutors sought, the conviction itself established a momentous precedent: corporate security executives who conceal data breaches from regulators and law enforcement face personal criminal liability.
The Sullivan case redefined the risk calculus for every CISO in America, making clear that covering up a breach is not merely a corporate governance failure but a federal crime.
What Should Have Been Done
Credential Security in Code Repositories: The root cause was hardcoded AWS access credentials in a GitHub repository. This is a well-known anti-pattern that remains alarmingly common. Organizations must implement automated secret scanning on all code repositories, use secrets management systems (such as AWS Secrets Manager or HashiCorp Vault) for all production credentials, and enforce pre-commit hooks that block commits containing credential patterns.
Immediate Transparent Disclosure: The single most critical lesson from the Uber case is that concealment always makes a breach worse. Had Uber disclosed the 2016 breach promptly, the company would have faced regulatory penalties and reputational damage, but the penalties would have been a fraction of the $148 million state settlement, and Sullivan would not have faced criminal prosecution.
The cover-up transformed a serious but manageable security incident into a historic enforcement action and criminal case.
Bug Bounty Program Integrity: Using a bug bounty program to disguise hush money payments corrupts a legitimate security mechanism.
Bug bounty programs must have clear policies distinguishing between legitimate vulnerability reports and criminal extortion. Payments to individuals who have already accessed and stolen production data are not bug bounties-they are ransom payments-and must be treated accordingly with appropriate legal and law enforcement engagement.
Regulatory Engagement During Active Investigations: When an organization is under active investigation by a federal agency, the obligation to disclose material developments is heightened. Sullivan’s conviction demonstrates that failing to disclose a new breach during an active FTC investigation constitutes obstruction.
AWS S3 Bucket Security: The data was stored in an S3 bucket with insufficient access controls. Organizations must implement S3 bucket policies that enforce encryption, restrict access to authorized IAM roles, enable server access logging, and use AWS Config rules to detect and remediate public or overly permissive bucket configurations. AWS provides native tools-including S3 Block Public Access and Access Analyzer-that should be deployed across all accounts.
The Uber breach cover-up is the defining case for personal accountability in cybersecurity. It established that concealing a data breach from regulators is not a strategic option but a federal crime. Joseph Sullivan’s conviction put every CISO on notice: the decision to hide a breach can end your career and your freedom. For organizations, the lesson is absolute-no breach is as damaging as the cover-up that follows it.