Jury finds former head of security at Uber guilty of criminal obstruction for failing to report massive data breach in 2016
The long arm of justice has finally caught up with a former cybersecurity executive, after he was found to be guilty of concealing a huge data breach at Uber.
The breach in question took place in 2016, and the trial of Uber Technologies’s former chief security officer Joseph Sullivan began last month, after he was charged in 2020 of concealing the controversial data breach.
The US Department of Justice confirmed that Joseph Sullivan was found guilty of “obstruction of proceedings of the Federal Trade Commission (FTC) and misprision of felony (i.e. deliberate concealment of a felony).
The guilty verdict followed a four week trial in San Francisco.
In July, Uber had accepted responsibility for covering up the breach and agreed to cooperate with the prosecution of Sullivan, as part of a settlement with US prosecutors to avoid criminal charges.
Sullivan had been fired from Uber in 2017 over the matter, and the judge handling the court case has not yet set a sentencing date.
However the DoJ has stated that Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge.
“Technology companies in the Northern District of California collect and store vast amounts of data from users,” noted US Attorney Hinds. “We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers.”
“Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” said Hinds. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”
“The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” said FBI Special Agent In Charge Tripp. “The FBI and our government partners will not allow rogue technology company executives to put American consumers’ personal information at risk for their own gain.”
The case has been closely watched as it sets an important precedent regarding the culpability of individual executives when handling cybersecurity incidents.
This issue has become increasingly important at a time of ongoing ransomware attacks, coupled with rising cybersecurity insurance premiums.
There have been multiple data breaches at Uber over the past eight years.
In 2015 it emerged that Uber had waited five months to report that it had been hacked back in September 2014, which leaked online the details of hundreds of its drivers.
Social security numbers, pictures of driver licenses, and vehicle registration numbers were among the details accidentally revealed, with as many as 647 drivers thought to have been affected across the US.
But much worse was to follow in 2016, when Uber again concealed a data breach that exposed data from 57 million customers and drivers.
The 2016 hack resulted in no financial details or journey records being stolen by the hacker, but the attackers were paid $100,000 in bitcoin to delete the files. That said, some personal information was stolen and there was no guarantees the data was actually destroyed.
To make matters worse, Uber actually used its “bug bounty” program (normally used to identify small code vulnerabilities), to pay off the hackers (one of whom was to be an unidentified 20-year-old man in Florida).
Uber came clean about the incident in November 2017, after newly installed CEO Dara Khosrowshahi became aware of the breach, after recently joining the firm.
Read More: What on Earth was Uber thinking?
Khosrowshahi’s admission in 2017 that Uber had not revealed the breach for over a year prompted an investigation by European authorities.
The British Information Commissioner’s Office (ICO) also fined the company 385,000 pounds ($490,760), while the Dutch Data Protection Authority (DPA) slapped Uber with a 600,000 euro ($678,780) fine.
Uber in September 2018 agreed to pay $148m to settle legal action over the attack.
But that was not the end of security incidents at the firm.
Last month (in September 2022) Uber confirmed it was “responding to a cybersecurity incident”.
The confirmation came after the New York Times had reported that a hack had accessed the company’s network and forced it to take several internal communications and engineering systems offline.
According to the New York Times, the 18 year old hacker compromised the employee workplace messaging app Slack and used it to send a message to Uber employees announcing that it had suffered a data breach.
Screenshots appearing to show Uber’s hacked internal systems appeared on Twitter.
The hacker was able to gain access to other internal company systems, posting an explicit photo on an internal information page for employees, according to the New York Times.