Connect with us

Hi, what are you looking for?

Editor’s Pick

Uber’s ex-security chief faces landmark trial over data breach that hit 57m users

Uber’s former security officer, Joe Sullivan, is standing trial this week in what is believed to be the first case of an executive facing criminal charges in relation to a data breach.

The US district court in San Francisco will start hearing arguments on whether Sullivan, the former head of security at the ride share giant, failed to properly disclose a 2016 data breach affecting 57 million Uber riders and drivers around the world.

At a time when reports of ransomware attacks have surged and cybersecurity insurance premiums have risen, the case could set an important precedent regarding the culpability of US security staffers and executives for the way the companies they work for handle cybersecurity incidents.

The breach first came to light in November 2017, when Uber’s chief executive, Dara Khosrowshahi, revealed that hackers had gained access to the driver’s license numbers of 600,000 US Uber drivers as well as the names, email addresses and phone numbers of as many as 57 million Uber riders and drivers.

Public disclosures like Khosrowshahi’s are required by law in many US states, with most regulations mandating that the notification be made “in the most expedient time possible and without unreasonable delay”.

But Khosrowshahi’s announcement came with an admission: a whole year had passed since the information had been breached.

“You may be asking why we are just talking about this now, a year later,” Khosrowshahi said at the time, adding that the company had investigated the delay and had fired two executives who had led the response to the breach, one of whom was Sullivan.

Uber’s disclosure sparked several federal and statewide inquiries. In 2018, Uber paid $148m over its failure to disclose the data breach in a nationwide settlement with 50 state attorneys general. In 2019, the two hackers pleaded guilty to hacking Uber and then extorting Uber’s “bug bounty” security research program. In 2020, the Department of Justice filed criminal charges against Sullivan.

In court filings, federal prosecutors alleged that in an attempt to cover up the security violation, Sullivan had “instructed his team to keep knowledge of the 2016 Breach tightly controlled” and to treat the incident as part of the bug bounty program.

That program was intended to incentivize hackers and security researchers to report vulnerabilities in exchange for cash rewards, but it did not allow for “rewarding a hacker who had accessed and obtained personally identifiable information of users and drivers from Uber-controlled systems”, the complaint says.

The hackers in the 2016 breach were rewarded $100,000, the complaint says, more than any bounty the company had paid as part of the program until that point.

Sullivan also allegedly had the hackers sign a supplemental non-disclosure agreement (NDA) which “falsely represented that the hackers had not obtained or stored any data during their intrusion”, federal prosecutors wrote.

The justice department complaint alleged that only Sullivan and the former Uber chief executive Travis Kalanick had knowledge of the full extent of the hack as well as a role in the decision to treat it as an authorized disclosure through the bug bounty program. However, as the New York Times first reported, the security industry is divided over whether Sullivan deserves to be held solely responsible for the breach. Some have questioned whether the role of other company executives and its board should be investigated as well, while others say Sullivan’s role in it was clear.

“I don’t know if Uber management knew about the concealment … or if Sullivan was directed to make the $100,000 payment to hide the breach. The trial will ferret all that out,” Jamil Farshchi, the chief information security officer at Equifax, wrote in a Linkedin post. “What I do know is that nobody is disputing that a breach of 57 million people occurred, Uber concealed it, and that Joe Sullivan … was involved in the concealment.”

Your information is secure and your privacy is protected. By opting in you agree to receive emails from us. Remember that you can opt-out any time, we hate spam too!

Latest

News

PHILIPPINE STAR/ MICHAEL VARCAS WASHINGTON D.C. — The United States is seeking to form a coalition of countries to drive negotiations on a global...

News

Buildings are seen along EDSA in Quezon City. — PHILIPPINE STAR/ MIGUEL DE GUZMAN By Diego Gabriel C. Robles  THE WORLD BANK (WB) upgraded...

News

Heavy traffic is seen on the southbound lane of EDSA in Cubao, Quezon City. — PHILIPPINE STAR/ MIGUEL DE GUZMAN THE PHILIPPINE auto industry’s...

News

REUTERS THE BANGKO SENTRAL ng Pilipinas (BSP) may deliver a second off-cycle rate hike in early November when the US Federal Reserve is expected...

News

Vendors arrange their goods at a public market in Manila. — PHILIPPINE STAR/ RUSSEL A. PALMA THE ASIAN Development Bank (ADB) is planning to...

Editor’s Pick

With the reversal of the 1.25% rise in National Insurance Contributions happening on the 6th of November, employers across the nation have an opportunity...

You May Also Like

News

BW FILE PHOTO GROSS BORROWINGS by the National Government reached P2.6 trillion as of end-September as it continued to raise funds to respond to...

News

KARASOLAR.COM TENA, Ecuador — Ecuador’s rainforest Achuar people say their ancestors long dreamed of a “fire canoe” or “electric fish” that would let them...

News

REUTERS By Luz Wendy T. Noble, Reporter The country’s foreign exchange buffers slightly increased as of end-October as the value of the central bank’s...

News

COVID-19 has had a significant impact on the mental health of Filipinos across different groups all over the archipelago. From frontline workers, parents balancing...

Disclaimer: Respect Investment.com, its managers, its employees, and assigns (collectively "The Company") do not make any guarantee or warranty about what is advertised above. Information provided by this website is for research purposes only and should not be considered as personalized financial advice. The Company is not affiliated with, nor does it receive compensation from, any specific security. The Company is not registered or licensed by any governing body in any jurisdiction to give investing advice or provide investment recommendation. Any investments recommended here should be taken into consideration only after consulting with your investment advisor and after reviewing the prospectus or financial statements of the company.

Copyright © 2022 Respect Investment. All Rights Reserved.