The Justice Department has opened a criminal investigation into allegations that a former Uber executive stole self-driving car technology from Google spinoff Waymo to help the ride-hailing giant build robotic vehicles, a letter from the U.S. attorney's office confirms.
The letter unsealed Wednesday by a federal judge marks the Justice Department's first acknowledgment of the probe. The criminal investigation was mentioned in court hearings two weeks ago, but the Justice Department had declined to comment. The U.S. attorney's office in San Francisco unsuccessfully tried to keep its letter disclosing the investigation under seal to protect the probe's integrity.
The Nov. 22 letter did not identify the targets of the investigation. Waymo — which is still owned by Google parent Alphabet Inc. — has alleged that former executive Anthony Levandowski stole its technology before he joined Uber last year.
Separately on Wednesday, Uber told lawmakers that an outside cybersecurity firm, which the San Francisco ride-hailing giant hired after a massive data theft by two hackers, found no evidence that riders’ credit card, bank account or Social Security numbers were downloaded by the hackers.
However, the company disclosed in a response to demands for information from U.S. senators that in some cases the hackers got location information about where people were when they signed up for Uber, as well as heavily encoded versions of user passwords.
On Nov. 21, Uber disclosed that names, email addresses and cellphone numbers of 57 million drivers and riders had been stolen.
In a letter to four Republican senators led by commerce committee Chairman John Thune of South Dakota, the company says that Mandiant, the security firm, found 32 million of those are outside the U.S. and 25 million are inside. Of the total, 7.7 million are drivers, mostly in the U.S., and hackers got driver's license numbers for 600,000 of them, according to the letter from Uber Chief Executive Dara Khosrowshahi.
Uber also said it has not seen evidence of fraud or misuse of data taken in the breach, which was kept quiet for more than a year before being disclosed. Two employees were fired for not disclosing the theft to “appropriate parties,” the letter said.
The hackers anonymously emailed Uber's U.S. security team Nov. 14, 2016, telling the team about the breach and demanding a payment. Uber tracked down the breach in private cloud data stored on Amazon's web services and shut down access, which came through a “compromised credential,” the letter said.
The security team agreed to pay $100,000 to the hackers for an agreement to delete the data, and later tracked down the hackers' real names. Both signed documents assuring that the stolen data was destroyed, Khosrowshahi wrote. Team members found that the hackers first gained access Oct. 13, 2016, and there was no further access after Nov. 15, 2016, the letter said.
Uber notified the U.S. attorney's offices in San Francisco and Manhattan, as well as other government agencies, on Nov. 21 of this year, but it's not clear whether any criminal investigation has been started. Neither office confirmed nor denied an investigation.