Single case study

In late 2016, two hackers accessed a private GitHub repository used by Uber engineers and obtained login credentials to Uber’s AWS account. With these credentials, they accessed a trove of data, including personal information of 57 million users and 600,000 driver’s license numbers. Instead of disclosing the breach to authorities or affected individuals, Uber chose to pay the attackers $100,000 in what was disguised as a bug bounty reward. The company also required the hackers to sign non-disclosure agreements. The incident remained hidden for over a year until it was revealed by Uber’s new executive leadership in late 2017.

Why It Mattered

Uber’s mistake wasn’t just the breach—it was the decision to cover it up. By opting to conceal the incident rather than follow proper disclosure protocols, the company violated multiple data protection laws and undermined public trust. It sent a dangerous message that compliance and transparency could be bypassed in favor of convenience and brand protection.

This case elevated the importance of incident reporting, especially in industries dealing with sensitive user data. It also showed that how a company responds to a breach is just as important as preventing one in the first place.