Two hackers are facing the prospect of up to five years in prison and a $250,000 fine after pleading guilty to the 2016 Uber hack attack which the company covered up for over 12 months.
Brandon Charles Glover and Vasile Mereacre admitted stealing personal information from Uber and other companies that was stored on Amazon Web Services from October 2016 to January 2017 and then demanding to be paid to destroy the data.
Details of the hack, which affected 57 million Uber users worldwide and around 6 million drivers, were first disclosed in 2017 when it also emerged that the company had paid the hackers $100,000 to delete the data rather than notifying the victims.
US Attorney David Anderson berated into Uber for not immediately alerting authorities about the loss of so much personal information that could have been used for ID theft and other malicious purposes.
“Companies like Uber are the caretakers, not the owners, of customers’ personal information,” Anderson said in a statement.
Last November, the company was whacked with fines of more than £900,000 by UK and Dutch data regulators for showing “complete disregard” for the personal information of both customers and drivers.
The Information Commissioner’s Office, which issued a £385,000 penalty, said “avoidable data security flaws” had allowed the personal details of around 2.7 million UK customers to be accessed.
The records of almost 82,000 drivers based in the UK were also taken during the incident.
In the Netherlands, where 174,000 citizens were affected by the worldwide incident, Uber was fined €600,000 (£532,000) by the Dutch data protection authority.
Uber declined to comment on the guilty pleas. A status conference about their sentencing has been scheduled for March 18 2020.