Cybersecurity and court rooms collide! The Uber data breach trial is getting started almost 5 years after Uber announced the breach – which was concealed for more than a year.
As reported by The Guardian (Uber’s ex-security chief faces landmark trial over data breach that hit 57m users, written by Johana Bhuiyan), Uber’s former security officer, Joe Sullivan, is standing trial this week in what is believed to be the first case of an executive facing criminal charges in relation to a data breach.
The US district court in San Francisco will start hearing arguments on whether Sullivan, the former head of security at the ride-share giant, failed to properly disclose a 2016 data breach affecting 57 million Uber riders and drivers around the world.
At a time when reports of ransomware attacks have surged and cybersecurity insurance premiums have risen, the case could set an important precedent regarding the culpability of US security staffers and executives for the way the companies they work for handle cybersecurity incidents.
The breach first came to light in November 2017, when Uber’s chief executive, Dara Khosrowshahi, revealed that hackers had gained access to the driver’s license numbers of 600,000 US Uber drivers as well as the names, email addresses and phone numbers of as many as 57 million Uber riders and drivers.
But Khosrowshahi’s announcement came with an admission: a whole year had passed since the information had been breached. Even worse, during that time, the company allegedly paid hackers $100,000 to delete the data and keep the breach quiet – not good.
Uber’s disclosure sparked several federal and statewide inquiries. In 2018, Uber paid $148m over its failure to disclose the data breach in a nationwide settlement with 50 state attorneys general. In 2019, the two hackers pleaded guilty to hacking Uber and then extorting Uber’s “bug bounty” security research program. In 2020, the Department of Justice filed criminal charges against Sullivan.
In court filings, federal prosecutors alleged that in an attempt to cover up the security violation, Sullivan had “instructed his team to keep knowledge of the 2016 Breach tightly controlled” and to treat the incident as part of the bug bounty program.
Sullivan also allegedly had the hackers sign a supplemental non-disclosure agreement (NDA) which “falsely represented that the hackers had not obtained or stored any data during their intrusion”, federal prosecutors wrote.
I expect people will be interested in the Uber data breach trial to see what happens. I know I will – I covered the original story back in 2017. Delays happen in reporting breaches all the time, as I reported last week. But when there’s a cover up to keep it silent – that delay could be criminal. Did that happen here? We’ll see what happens in the case.
So, what do you think? Are you interested to see what happens with the Uber data breach trial? Do you think it could impact how security officers handle data breaches in the future? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.
This is nothing less than a government intimidation racket. This is putting a head on a spike.
The ones who are going to follow this case closely are all of the chief security officers at multiple corporations. CISOs are responsible for ensuring that their companies’ data remains safe from hackers and fraudsters, a high-stakes job that has become increasingly tricky.
But they do not make unilateral decisions. A chief security officer DOES NOT generally make the call on whether a company reports a data breach, or how. That is decided by the legal department and the chief executive, who at Uber at the time was Travis Kalanick.
Why is he not co-defendent? How did the bug bounty payment get authorized from the Uber account department? Did Sullivan really have that kind of authority to authorize a payment that large? No way. Too many unanswered and Uber obstruction issues to list. Seems like some sloppy work from the DOJ.
Yeah. Bringing up a high-profile CISO on criminal charges related to professional conduct is surely a great way to ensure you’ll get an influx of talent into these crucial positions.
In the past year or so alone, T-Mobile, Planned Parenthood and the NFT marketplace OpenSea have been hacked. Perfect security is impossible, and now CISOs are wondering what happens if – or rather when – they fail. If Sullivan is convicted, they worry the outcome could set a precedent for who is at fault for a data breach. Could they be left holding the bag? Six years from now, will all of them be prosecuted?
Cybersecurity, ransomware detection/prevention, etc., etc. is a work in progress. Because it is relatively young, we don’t have that body of law and body of knowledge that’s derived over time to know where the line is. Bad guys are attacking us every day. We’re just trying to defend the company.
And it is NOT a good precedent for CSOs to be criminally prosecuted. They are essentially detectives solving crimes. Most people have no clue how CSOs operate. Nor a damn clue about cybersecurity. I was at ILTA and the absolute naive bullshit I heard was astounding. But then again, ILTA is part of “The Matrix” so what can you expect. Totally divorced from reality.
I was a security officer for 3 years at at Silicon Valley internet company. I am totally sympathetic to how Sullivan handled the security incident at the center of this case. There are risks to being the person in charge of responding to colossal threats.If I was a security executive I’d be worried sick about being on the hook for potential legal bills – hence the surge by security chiefs to get covered by directors and officers insurance.
But … no surprise, really, given the aggressive, do-what-it-takes culture that STILL exists across SV.
Sullivan had been unfairly singled out. He’s being scapegoated. The government thinks he should have known better because he’s a former prosecutor.
Even the court is shocked. At one of the pre-trial hearings, Judge Orrick (who will hear this case) said ““I had not, until this moment, realized that your case was really against Uber and Uber is going to be sitting here in the form of Mr. Sullivan, and only Mr Sullivan”.
I had a feeling I would hear from you on this one, Eric! I am just as surprised that Kalanick isn’t included in prosecution – unless (of course) they’re still working on indicting him. Will be interesting to see how the case unfolds.