Former Uber Security Chief Found Guilty in Court

October 10, 2022 | 4 minutes read
Former Uber Security Chief Found Guilty in Court

Despite the fact that data breaches continue to be a growing concern for consumers around the world, it is very rare that a person faces legal consequences for their role in such events. Nevertheless, former Uber Chief Security Officer Joseph Sullivan was found guilty of concealing the massive data breach that his former employer sustained several years ago in 2016, as Sullivan reportedly had a hand in covering up the attack. More specifically, “Sullivan, who was fired from Uber in 2017, was found guilty on counts of obstruction of justice and deliberate concealment of felony, a spokesperson from the US justice department confirmed on Wednesday.”

For context, the aforementioned data breach that Uber experienced in 2016 impacted more than 57 million consumers that had been using the ridesharing company for food and transportation purposes up until that point. However, in spite of the severity of the data breach that occurred, Sullivan allegedly agreed to pay the hackers $100,000 in bitcoin in an attempt to sweep the event under the rug so to speak. Furthermore, Sullivan also reportedly had the hackers involved in the attack sign a nondisclosure agreement, and the general public only became aware of the data breach after the Federal Trade Commission (FTC) launched its own investigation against Uber a year later in 2017.

A new precedent in cybersecurity

Due to the national exposure that Joseph Sullivan’s criminal case has received, as well as the prominence of Uber as a ride-sharing company on an international scale, many experts within the cybersecurity community, have asserted that the manner in which Sullivan has been handled by the U.S. federal government will serve as a wake-up call for cyber criminals and security officers alike. Subsequently, “Federal prosecutors noted that the case should serve as a warning to companies about how they comply with federal regulations when handling their network breaches.” To this point, the failures of businesses to protect the personal information of their respective customers have been well-documented for many years now.

To illustrate this point further, Casey Ellis, founder, and CTO at Bugcrowd, a crowdsourced cybersecurity platform, told TechNewsWorld that “It begs for clearer policy at the federal level in the United States around privacy protections and the treatment of user data, and it emphasizes the fact that a proactive approach to handling vulnerability information, rather than the reactive approach taken here, is a key component of resilience for organizations, their security teams, and their shareholders.” To this last point, the prosecution of Joe Sullivan has also highlighted the need for federal data protection legislation, as companies such as Uber face virtually no penalty when it comes to data breaches.

Capital One’s 2019 data breach

While the data breach that Uber has faced in 2016 was one of the largest to have ever impacted the nation, the prominent bank holding company Capital One was also hit with a massive breach several years later in 2019. For reference, this attack was launched by Paige Thompson, a former software engineer for Amazon, and affected more than 100 million consumers globally. To this end, Thompson was also recently found guilty of her role in the data breach, as her actions resulted in millions of people having their personal data stolen, as well as a multimillion-dollar class action lawsuit that was ultimately imposed against Capital One. Likewise, despite the fact that Thompson was able to dodge a prison sentence, her guilty verdict will nonetheless put the cybersecurity community on notice as well.

Ineffective data breach notification legislation

In spite of the role that individuals such as Joseph Sullivan and Paige Thompson have played in both launching and covering up data breaches and cyber attacks in recent years, the reality of the situation is that every state and territory within the U.S. have enacted some form of data breach notification legislation as of 2022. However, the laws have seemingly made little impact against the criminals that are involved in cyber attacks, as most data breach notification laws simply serve to notify affected individuals that their personal information may be compromised. However, after this initial notification, these laws do virtually nothing to help consumers recover from being affected by a data breach.

While it remains unclear whether or not Joe Sullivan will ultimately serve prison time for his role in covering up Uber’s data breach in 2016, the fact that he was found guilty of his crimes is nevertheless a step in the right direction as it concerns consumer protection. Due to the fact that companies such as Uber and Capital One would be unable to conduct business without the personal information of the customers they serve, safeguarding this personal data must be a top priority at all times. Moreover, employees that fail to protect this information should be accountable for their actions, within the full extent of the law.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »