Former Uber Security Chief Found Guilty in Court
October 10, 2022 | 4 minutes read
Despite the fact that data breaches continue to be a growing concern for consumers around the world, it is very rare that a person faces legal consequences for their role in such events. Nevertheless, former Uber Chief Security Officer Joseph Sullivan was found guilty of concealing the massive data breach that his former employer sustained several years ago in 2016, as Sullivan reportedly had a hand in covering up the attack. More specifically, “Sullivan, who was fired from Uber in 2017, was found guilty on counts of obstruction of justice and deliberate concealment of felony, a spokesperson from the US justice department confirmed on Wednesday.”
For context, the aforementioned data breach that Uber experienced in 2016 impacted more than 57 million consumers that had been using the ridesharing company for food and transportation purposes up until that point. However, in spite of the severity of the data breach that occurred, Sullivan allegedly agreed to pay the hackers $100,000 in bitcoin in an attempt to sweep the event under the rug so to speak. Furthermore, Sullivan also reportedly had the hackers involved in the attack sign a nondisclosure agreement, and the general public only became aware of the data breach after the Federal Trade Commission (FTC) launched its own investigation against Uber a year later in 2017.
A new precedent in cybersecurity
Due to the national exposure that Joseph Sullivan’s criminal case has received, as well as the prominence of Uber as a ride-sharing company on an international scale, many experts within the cybersecurity community, have asserted that the manner in which Sullivan has been handled by the U.S. federal government will serve as a wake-up call for cyber criminals and security officers alike. Subsequently, “Federal prosecutors noted that the case should serve as a warning to companies about how they comply with federal regulations when handling their network breaches.” To this point, the failures of businesses to protect the personal information of their respective customers have been well-documented for many years now.
To illustrate this point further, Casey Ellis, founder, and CTO at Bugcrowd, a crowdsourced cybersecurity platform, told TechNewsWorld that “It begs for clearer policy at the federal level in the United States around privacy protections and the treatment of user data, and it emphasizes the fact that a proactive approach to handling vulnerability information, rather than the reactive approach taken here, is a key component of resilience for organizations, their security teams, and their shareholders.” To this last point, the prosecution of Joe Sullivan has also highlighted the need for federal data protection legislation, as companies such as Uber face virtually no penalty when it comes to data breaches.
Capital One’s 2019 data breach
While the data breach that Uber has faced in 2016 was one of the largest to have ever impacted the nation, the prominent bank holding company Capital One was also hit with a massive breach several years later in 2019. For reference, this attack was launched by Paige Thompson, a former software engineer for Amazon, and affected more than 100 million consumers globally. To this end, Thompson was also recently found guilty of her role in the data breach, as her actions resulted in millions of people having their personal data stolen, as well as a multimillion-dollar class action lawsuit that was ultimately imposed against Capital One. Likewise, despite the fact that Thompson was able to dodge a prison sentence, her guilty verdict will nonetheless put the cybersecurity community on notice as well.
Ineffective data breach notification legislation
In spite of the role that individuals such as Joseph Sullivan and Paige Thompson have played in both launching and covering up data breaches and cyber attacks in recent years, the reality of the situation is that every state and territory within the U.S. have enacted some form of data breach notification legislation as of 2022. However, the laws have seemingly made little impact against the criminals that are involved in cyber attacks, as most data breach notification laws simply serve to notify affected individuals that their personal information may be compromised. However, after this initial notification, these laws do virtually nothing to help consumers recover from being affected by a data breach.
While it remains unclear whether or not Joe Sullivan will ultimately serve prison time for his role in covering up Uber’s data breach in 2016, the fact that he was found guilty of his crimes is nevertheless a step in the right direction as it concerns consumer protection. Due to the fact that companies such as Uber and Capital One would be unable to conduct business without the personal information of the customers they serve, safeguarding this personal data must be a top priority at all times. Moreover, employees that fail to protect this information should be accountable for their actions, within the full extent of the law.