Uber’s Ex-Security Chief Faces New Criminal Charges

September 02, 2022 | 4 minutes read
Uber’s Ex-Security Chief Faces New Criminal Charges

Despite the fact that data breaches have become an almost daily occurrence in the past 20 years due to the world’s current reliance on digital technology, it is very rare that a criminal or bad actor is hit with criminal charges in response to a security breach incident. Nonetheless, the enactment of data protection legislation around the world has completely altered the ways in which people view the concept of personal privacy, as many consumers are now looking for businesses to be held accountable should they fail to protect the personal information of their respective customers.

With all this being said, as has been reported by the British daily newspaper the Guardian, as well as in many other major media outlets around the world, “Uber’s former security officer, Joe Sullivan, is standing trial this week in what is believed to be the first case of an executive facing criminal charges in relation to a data breach.” Likewise, this trial is based on a data breach that the American transportation company Uber sustained several years ago in 2016, as the event in question is alleged to have affected more than 57 million passengers across several different nations. What’s more, it has also been alleged that Sullivan worked to cover up the data breach and effectively put the personal data of millions of people at risk.

Uber 2016 Data Breach

In 2016, international mobilities services provider Uber experienced a security breach that exposed the personal data of 57 million users worldwide. However, in contrast to many other breaches of similar scope and magnitude, Uber did not initially disclose this breach to any of their millions of customers, much less to any law enforcement or government agency that could have attempted to mitigate the breach. Instead, the occurrence of the breach was only unveiled after the FTC began investigating the dealings of Uber from 2015 to 2017. According to the government agency, “the breach occurred after hackers used stolen credentials to gain access to an access key from a source code repository, which then allowed them to gain access to both driver and customer personal details.”

These personal customer details included email addresses, driver’s license numbers, credit card numbers, telephone numbers, and full names. Despite the consequences that this data breach posed to the millions of customers worldwide that use Uber’s wide range of services, the FTC claimed that the transportation company attempted to pay a ransom in the amount of $100,000 in BitCoin to the alleged hackers that had launched the attack, despite the fact that then CSO of Uber, Joe Sullivan was not able to confirm the identity of said hackers. On this point, many businesses that have experienced data breaches in the past decade have opted to pay their cyberattackers a ransom in order to keep such occurrences under control, with the hope that such transactions will be a one-time affair.

Criminal charges

On the contrary, the security breach that Uber sustained ultimately became public, and Sullivan was ousted from the company due to his attempts to cover up the attack that had taken place. To this last point, the criminal charges that were recently levied against Sullivan are the culmination of a series of investigations that have taken place over the course of the last 5 to 6 years, in what may very well be a landmark case as it concerns the obligations of major corporations as it relates to security breaches. To this end, federal prosecutors with the U.S. Department of Justice (DOJ) claim that “Sullivan had “instructed his team to keep knowledge of the 2016 Breach tightly controlled” and to treat the incident as part of the bug bounty program.”

NDA

On top of the coverup that former Uber security chief Joe Sullivan is alleged to have engaged in when his company experienced a data breach in 2016, it has also been claimed that Sullivan had the hackers behind the breach sign a Non-Disclosure Agreement (NDA) that federal prosecutors have described as having “falsely represented that the hackers had not obtained or stored any data during their intrusion”. Nevertheless, Joe Sullivan has categorized the litany of claims that have been made against him with respect to his time as security chief of Uber as being fabricated, as he maintains his innocence by insisting that the allegations that have been brought against him were designed to shift blame away from Uber.

While the outcome of the criminal trials regarding Joe Sullivan’s alleged involvement in Uber’s massive data breach in 2016 remains to be seen, the verdict that will ultimately be reached will undoubtedly influence the manner in which similar occurrences are handled within the legal realm in the near future, as there have been many other instances in recent years where a company executive has been accused of essentially sweeping a data breach under the rug. For this reason, businesses and organizations around the globe will have to reexamine the ways in which they manage security breaches, as the failure to do so can have long-term consequences for all parties involved.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »