In October-November 2016, two attackers discovered that Uber’s private GitHub code repository contained hardcoded AWS credentials. Using those credentials, they accessed an AWS S3 bucket containing a database archive with personal data for 57 million Uber users (50 million riders worldwide and 7 million drivers). Driver’s license numbers for approximately 600,000 US drivers were also exposed. The attackers contacted Uber and demanded payment to delete the data. Uber paid $100,000 in Bitcoin to the attackers through its bug bounty program (using a third-party facilitated by Uber’s security team) and obtained confirmation that the data was deleted — though Uber could not verify this. Critically, Uber’s then-CSO Joe Sullivan and a colleague actively concealed the breach from the FTC (which was already investigating Uber’s 2014 data security practices), from regulators, and from the public for over a year. The breach was disclosed a year later in November 2017, after new Uber CEO Dara Khosrowshahi discovered and disclosed it. The concealment resulted in criminal charges: Joe Sullivan was convicted in 2022 on charges of obstruction of justice and misprision of a felony — the first criminal conviction of a corporate security executive for concealing a breach. Uber paid $148 million to settle investigations by all 50 US state attorneys general. The FTC imposed additional oversight requirements. Sullivan was sentenced to three years of probation in May 2023.