Uber boss hides culpable breach

Uber boss hides culpable breach

Jury finds former Uber security chief guilty of criminal obstruction for failing to report massive data breach in 2016

The long arm of justice has finally caught up with a former cyber security chief, after he was found guilty of covering up a major data breach at Uber.

The breach in question took place in 2016, and the trial of Uber Technologies’ former security chief Joseph Sullivan began last month, after he was charged in 2020 with covering up the controversial data breach.

The US Department of Justice confirmed that Joseph Sullivan was found guilty of “obstruction of the proceedings of the Federal Trade Commission (FTC) and felony false imprisonment (ie, knowingly concealing a crime).


Guilty verdict

The guilty verdict followed a four-week trial in San Francisco.

In July, Uber admitted responsibility for covering up the breach and agreed to cooperate with the prosecution of Sullivan, as part of a settlement with US prosecutors to avoid criminal charges.

Sullivan had been fired from Uber in 2017 over the case, and the judge handling the trial has yet to set a sentencing date.

However, the DoJ has stated that Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum of three years in prison for the false imprisonment charge.

“Technology companies in the Northern District of California collect and store vast amounts of user data,” noted US Attorney Hinds. “We expect these companies to protect this data and notify customers and relevant authorities when such data is stolen by hackers.”

See also  'Skreepy' mental health and prayer apps share your personal data

“Sullivan affirmatively worked to conceal the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” Hinds said. “We will not tolerate important information being withheld from the public by business leaders who are more interested in protecting their and their employers’ reputations than in protecting users. Where such conduct violates federal law, it will be prosecuted.”

“The message in today’s guilty verdict is clear: companies that store their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” said FBI Special Agent Tripp. “The FBI and our government partners will not allow rogue technology executives to put American consumers’ personal information at risk for their own gain.”

The case has been closely watched as it sets an important precedent regarding the culpability of individual managers when dealing with cyber security incidents.

This issue has become increasingly important in an era of ongoing ransomware attacks, coupled with rising cyber security insurance premiums.

Multiple violations

There have been several data breaches at Uber over the past eight years.

In 2015, it emerged that Uber had waited five months to report that it had been hacked back in September 2014, leaking the details of hundreds of its drivers online.

Social security numbers, images of driver’s licenses and vehicle registration numbers were among the details accidentally exposed, with as many as 647 drivers believed to have been affected across the US.

But much worse was to follow in 2016, when Uber again covered up a data breach that exposed the data of 57 million customers and drivers.

See also  Apple Passkeys: No Panacea for User Device Security

The 2016 hack resulted in no financial details or travel records being stolen by the hacker, but the attackers were paid $100,000 in bitcoin to delete the files. That said, some personal information was stolen and there were no guarantees that the data was actually destroyed.

To make matters worse, Uber actually used its “bug bounty” program (typically used to identify small code vulnerabilities), to pay off the hackers (one of whom was said to be an unidentified 20-year-old man in Florida).

Uber was aware of the incident in November 2017, after newly installed CEO Dara Khosrowshahi became aware of the breach, having recently joined the firm.

Read more: What on earth was Uber thinking?

Khosrowshahi’s admission in 2017 that Uber had failed to disclose the breach for over a year led to an investigation by European authorities.

The UK Information Commissioner’s Office (ICO) fined the company 385,000 pounds ($490,760), while the Dutch Data Protection Authority (DPA) fined Uber 600,000 euros ($678,780).

In September 2018, Uber agreed to pay $148 million to settle legal action over the attack.

Last breach

But that was not the end of security incidents at the firm.

Last month (in September 2022), Uber confirmed that they were “responding to a cyber security incident”.

The confirmation came after the New York Times had reported that a hack had gained access to the company’s network and forced it to take several internal communications and engineering systems offline.

According to the New York Times, the 18-year-old hacker compromised the workplace messaging app Slack and used it to send a message to Uber employees announcing that it had been the subject of a data breach.

See also  Crypto trading firm Wintermute loses $160 million in hacking incident

Screenshots appearing to show Uber’s hacked internal systems surfaced on Twitter.

The hacker was able to gain access to other internal company systems by posting an explicit image on an internal employee information page, according to the New York Times.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *