Uber’s Ex-Security Chief Faces New Criminal Charges
September 02, 2022 | 4 minutes read
Despite the fact that data breaches have become an almost daily occurrence in the past 20 years due to the world’s current reliance on digital technology, it is very rare that a criminal or bad actor is hit with criminal charges in response to a security breach incident. Nonetheless, the enactment of data protection legislation around the world has completely altered the ways in which people view the concept of personal privacy, as many consumers are now looking for businesses to be held accountable should they fail to protect the personal information of their respective customers.
With all this being said, as has been reported by the British daily newspaper the Guardian, as well as in many other major media outlets around the world, “Uber’s former security officer, Joe Sullivan, is standing trial this week in what is believed to be the first case of an executive facing criminal charges in relation to a data breach.” Likewise, this trial is based on a data breach that the American transportation company Uber sustained several years ago in 2016, as the event in question is alleged to have affected more than 57 million passengers across several different nations. What’s more, it has also been alleged that Sullivan worked to cover up the data breach and effectively put the personal data of millions of people at risk.
Uber 2016 Data Breach
In 2016, international mobilities services provider Uber experienced a security breach that exposed the personal data of 57 million users worldwide. However, in contrast to many other breaches of similar scope and magnitude, Uber did not initially disclose this breach to any of their millions of customers, much less to any law enforcement or government agency that could have attempted to mitigate the breach. Instead, the occurrence of the breach was only unveiled after the FTC began investigating the dealings of Uber from 2015 to 2017. According to the government agency, “the breach occurred after hackers used stolen credentials to gain access to an access key from a source code repository, which then allowed them to gain access to both driver and customer personal details.”
These personal customer details included email addresses, driver’s license numbers, credit card numbers, telephone numbers, and full names. Despite the consequences that this data breach posed to the millions of customers worldwide that use Uber’s wide range of services, the FTC claimed that the transportation company attempted to pay a ransom in the amount of $100,000 in BitCoin to the alleged hackers that had launched the attack, despite the fact that then CSO of Uber, Joe Sullivan was not able to confirm the identity of said hackers. On this point, many businesses that have experienced data breaches in the past decade have opted to pay their cyberattackers a ransom in order to keep such occurrences under control, with the hope that such transactions will be a one-time affair.
Criminal charges
On the contrary, the security breach that Uber sustained ultimately became public, and Sullivan was ousted from the company due to his attempts to cover up the attack that had taken place. To this last point, the criminal charges that were recently levied against Sullivan are the culmination of a series of investigations that have taken place over the course of the last 5 to 6 years, in what may very well be a landmark case as it concerns the obligations of major corporations as it relates to security breaches. To this end, federal prosecutors with the U.S. Department of Justice (DOJ) claim that “Sullivan had “instructed his team to keep knowledge of the 2016 Breach tightly controlled” and to treat the incident as part of the bug bounty program.”
NDA
On top of the coverup that former Uber security chief Joe Sullivan is alleged to have engaged in when his company experienced a data breach in 2016, it has also been claimed that Sullivan had the hackers behind the breach sign a Non-Disclosure Agreement (NDA) that federal prosecutors have described as having “falsely represented that the hackers had not obtained or stored any data during their intrusion”. Nevertheless, Joe Sullivan has categorized the litany of claims that have been made against him with respect to his time as security chief of Uber as being fabricated, as he maintains his innocence by insisting that the allegations that have been brought against him were designed to shift blame away from Uber.
While the outcome of the criminal trials regarding Joe Sullivan’s alleged involvement in Uber’s massive data breach in 2016 remains to be seen, the verdict that will ultimately be reached will undoubtedly influence the manner in which similar occurrences are handled within the legal realm in the near future, as there have been many other instances in recent years where a company executive has been accused of essentially sweeping a data breach under the rug. For this reason, businesses and organizations around the globe will have to reexamine the ways in which they manage security breaches, as the failure to do so can have long-term consequences for all parties involved.