Cybersecurity and court rooms collide! The Uber data breach trial is getting started almost 5 years after Uber announced the breach – which was concealed for more than a year.
As reported by The Guardian (Uber’s ex-security chief faces landmark trial over data breach that hit 57m users, written by Johana Bhuiyan), Uber’s former security officer, Joe Sullivan, is standing trial this week in what is believed to be the first case of an executive facing criminal charges in relation to a data breach.
The US district court in San Francisco will start hearing arguments on whether Sullivan, the former head of security at the ride-share giant, failed to properly disclose a 2016 data breach affecting 57 million Uber riders and drivers around the world.
At a time when reports of ransomware attacks have surged and cybersecurity insurance premiums have risen, the case could set an important precedent regarding the culpability of US security staffers and executives for the way the companies they work for handle cybersecurity incidents.
The breach first came to light in November 2017, when Uber’s chief executive, Dara Khosrowshahi, revealed that hackers had gained access to the driver’s license numbers of 600,000 US Uber drivers as well as the names, email addresses and phone numbers of as many as 57 million Uber riders and drivers.
But Khosrowshahi’s announcement came with an admission: a whole year had passed since the information had been breached. Even worse, during that time, the company allegedly paid hackers $100,000 to delete the data and keep the breach quiet – not good.
Uber’s disclosure sparked several federal and statewide inquiries. In 2018, Uber paid $148m over its failure to disclose the data breach in a nationwide settlement with 50 state attorneys general. In 2019, the two hackers pleaded guilty to hacking Uber and then extorting Uber’s “bug bounty” security research program. In 2020, the Department of Justice filed criminal charges against Sullivan.
In court filings, federal prosecutors alleged that in an attempt to cover up the security violation, Sullivan had “instructed his team to keep knowledge of the 2016 Breach tightly controlled” and to treat the incident as part of the bug bounty program.
Sullivan also allegedly had the hackers sign a supplemental non-disclosure agreement (NDA) which “falsely represented that the hackers had not obtained or stored any data during their intrusion”, federal prosecutors wrote.
I expect people will be interested in the Uber data breach trial to see what happens. I know I will – I covered the original story back in 2017. Delays happen in reporting breaches all the time, as I reported last week. But when there’s a cover up to keep it silent – that delay could be criminal. Did that happen here? We’ll see what happens in the case.
So, what do you think? Are you interested to see what happens with the Uber data breach trial? Do you think it could impact how security officers handle data breaches in the future? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.