Law and Forensics | Insights
Lessons For Cybersecurity Officers After Ex-Uber Exec Trial
October 12th, 2022
By Daniel Garrie
Joe Sullivan, the former chief security officer at Uber Technologies Inc., was found guilty Oct. 5 in federal court on charges that he concealed a breach of customer and driver records from government regulators.
Sullivan’s actions and consequences are not the new rules for chief information security officers; they are the exceptions and below are some key considerations based on the results of this case.
In 2016, Uber suffered a data breach in which hackers downloaded the personal data of about 600,000 Uber drivers and the additional personal information associated with 57 million riders and drivers, according to court testimony and documents. The hackers then pressured Uber to pay them $100,000.
The prosecutors alleged that Sullivan’s team routed the hack and the payment request through Uber’s bug bounty program, a procedure through which white hat researchers can report security vulnerabilities, in an effort to conceal the breach.
Sullivan directed his team to pay the hackers $100,000 and had the hackers sign a nondisclosure agreement.
The breach occurred while the Federal Trade Commission was investigating Uber over an earlier breach of Uber’s online systems. Uber did not publicly disclose the 2016 breach or inform the FTC until 2017, when new CEO Dara Khosrowshahi joined the company.
Federal prosecutors argued that Sullivan concealed the 2016 breach because he thought that disclosing it would prolong the FTC investigation and hurt his reputation.
According to court testimony and documents, Sullivan did not reveal the 2016 breach to Uber’s general counsel. An executive on Sullivan’s team testified that Sullivan had told the Uber security team that they needed to keep the breach secret and that Sullivan modified the nondisclosure agreement signed by the hackers to make it seem like the breach was white hat research.
The jury found Sullivan guilty on one count of obstructing the FTC’s investigation and one count of misprision, i.e., concealing a felony from authorities.
Please fill out the form below to read the article “Lessons For Cybersecurity Officers After Ex-Uber Exec Trial”!