In a significant ruling, a federal jury in the United States has convicted former Uber Chief Security Officer, Joseph Sullivan, for failing to disclose a data breach that occurred in 2016. This breach compromised sensitive information pertaining to both customers and drivers, with Sullivan accused of actively attempting to obscure details from regulators.
Sullivan’s conviction encompasses two charges: obstruction of justice for withholding information from authorities and misprision, which entails concealing a felony. As it stands, he could face up to five years in prison for the obstruction charge alone, in addition to a potential maximum of three years for misprision.
U.S. Attorney Stephanie M. Hinds emphasized the responsibility of technology companies based in the Northern District of California to safeguard user data. In her statement, she remarked that Sullivan not only failed to report the breach but also implemented measures to prevent its disclosure, significantly complicating the legal landscape around corporate data breaches.
Details of the incident reveal that two hackers exploited vulnerabilities to gain unauthorized access to Uber’s database backups. This breach led Uber to pay a ransom of $100,000, an action shrouded in secrecy, under the pretense of a bug bounty agreement. The stolen data encompassed records of approximately 50 million riders and 7 million drivers.
The timing of this incident couldn’t have been more precarious, occurring while the U.S. Department of Justice and Federal Trade Commission were already investigating Uber for a previous data breach in May 2014. That breach had involved unauthorized access leading to the exposure of sensitive driver information for about 50,000 individuals, showcasing a troubling pattern of negligence.
The DOJ revealed that Sullivan played a pivotal role in shaping Uber’s responses to the FTC regarding its security policies, even testifying under oath about the preventive measures undertaken post-2014 breach. However, mere days after his testimony, Sullivan learned of the new compromise yet chose to enact a cover-up strategy rather than notify authorities.
Moreover, federal prosecutors allege that Sullivan misled Uber’s top executives, including CEO Dara Khosrowshahi, and external legal teams involved in investigating the breach. The shocking reality of the incident did not surface until November 2017, revealing systemic issues in corporate governance and crisis management within Uber.
This case marks a pivotal development in corporate accountability, as it represents the first instance of a senior executive facing criminal charges related to a data breach. Meanwhile, the two hackers involved continue to await sentencing for related fraud conspiracy charges after pleading guilty in October 2019.
The implications of Sullivan’s actions suggest a significant failure in data protection measures. The parallels between the 2014 and 2016 breaches highlight the need for robust cybersecurity frameworks such as the MITRE ATT&CK Matrix to mitigate risks associated with adversary tactics, including initial access and privilege escalation. In the wake of these events, Uber has recently faced additional security breaches linked to the LAPSUS$ cybercrime group, demonstrating ongoing vulnerabilities that must be addressed.
This past July, Uber resolved a settlement with the DOJ, agreeing to a $148 million payment and committing to implement a corporate integrity program alongside comprehensive data security safeguards. The overarching message from these proceedings underscores that companies managing customer data have an obligation to ensure its security and to act transparently when breaches occur.
