The Charges
Uber’s former head of security, Joseph Sullivan, was charged yesterday with obstruction of justice in the US federal court of San Francisco. The charges come as a result of Sullivan’s attempt to hide a data breach from the US Federal Trade Commission (FTC) and Uber management. A statement from the US Department of Justice (DOJ) states that a criminal complaint had been filed against Sullivan, for actions he had taken while he was Uber’s Chief Security Officer from April 2015 to November 2017. The complaint alleges Sullivan had been contacted by two hackers who stated they had accessed and downloaded an Uber database. The hackers demanded that Uber pay a ransom in exchange for their silence. In response, Sullivan allegedly paid the hackers $100,000 in bitcoin in December 2016. However, to prevent knowledge of the breach reaching the FTC, Sullivan paid the hackers through Uber’s bug bounty program. To both conceal the hack and the amount of data exposed from the FTC, he also allegedly had the hackers sign a non-disclosure agreement. The agreement allegedly contained a false representation that the hackers had not accessed or downloaded any data. Consequently, Sullivan has also been charged with misprision of a felony. Meaning he knew of the breach and failed to report it the appropriate authorities.
What Uber Information was Stolen
During the 2016 large scale data breach, two hackers managed to access an Uber database containing Personally Identifiable Information (PII). The data accessed and downloaded belonged to some 57 million Uber users and drivers. As well as the usual PII, the database also held the drivers’ license numbers of about 600,000 Uber drivers. Uber did not disclose the data breach or the payment until late 2017, when the breach was discovered by Uber’s newly appointed chief executive. According to the complaint, in the interim, the hackers were able to attack other companies and steal their users’ data. The breach’s disclosure prompted investigations not only in the US but in other countries as well, including the UK, Australia, Italy and the Philippines. Nonetheless, according to DOJ’s statement, Uber has since been cooperating with the government in its investigations into the breach. Uber said in a statement: “Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability.”
Uber’s Former Head of Security
Joseph Sullivan is a former Assistant US Attorney. He joined Uber in 2015 after having worked for more than five years at Facebook as their Chief Security Officer. Previously he had worked at eBay and PayPal. Currently he is the Chief Security Officer at CloudFlare, an internet infrastructure and security company. A spokesman for Sullivan, Bradford Williams, stated that there was “no merit” to the charges against his client. Williams noted that Sullivan is “a respected cybersecurity expert.” In Sullivan’s defense, Williams added that Sullivan and his team “collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies. Those policies made clear that Uber’s legal department — and not Mr. Sullivan or his group — was responsible for deciding whether, and to whom, the matter should be disclosed.” If convicted, Sullivan faces a maximum penalty of five years in prison for the obstruction of justice charge. Furthermore, he faces a maximum of three years in prison for the misprision charge.
Uber’s Settlements
In 2018, Uber paid $148 million to settle the investigation into their attempted concealment of the 2016 data breach. According to New York’s attorney general, the settlement, which encompassed all US states, was the largest ever multi-state data breach settlement. As part of the settlement, Uber also agreed to put in place a corporate integrity program. Furthermore, they agreed to adopt model data breach notification and data security practices. In addition, they were required to hire an independent third-party to assess its data security practices. Previously, Uber had settled a case with the FTC for having deceived its clients also over the 2016 data breach.
