Joseph Sullivan, a former Uber executive in charge of security, has been charged with obstruction of justice and misprision of a felony. The US Justice Department issued the decision following a data breach in 2016. The Department alleges that Sullivan covered up a breach that revealed the personal information of almost 60 million customers and the information of over half a million drivers.
The breach and the cover-up
Hackers took data from Uber through finding Uber’s source code on GitHub, a coding and development site for businesses, using stolen information.
According to federal court papers filed last week in California, rather than reporting the breach, Sullivan paid a bitcoin ransom of $100,000. The ransom was covered up using the “bug bounty reward” scheme given to security researchers for finding weaknesses in Uber’s system.
In addition, Sullivan allegedly made the hackers sign NDAs (Non-Disclosure Agreements) to confirm they had not sold the breached data. But prosecutors doubt the truth contained in the NDA, saying it “contained a false representation that the hackers did not take or store any data.” Following those signings, it’s alleged that Uber made the hackers sign a second NDA. This time, Uber was aware of the hacker’s identities.
Joe Sullivan failed to inform the new CEO about the full extent of the data breach. Uber eventually declared the breach in 2017 and Sullivan was subsequently fired. If convicted, he faces up to eight years in prison and $500,000 in fines.
Sullivan’s spokesman Bradford Williams expressed to the BBC that Uber’s policies are responsible for the breach, saying:
If not for Mr Sullivan and his team’s efforts, it is likely that the individuals responsible for this incident never would have been identified at all. From the outset, Mr Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies. Those policies made clear that Uber’s legal department – and not Mr Sullivan or his group – was responsible for deciding whether, and to whom, the matter should be disclosed.
However, US attorney David Anderson said they expected more from the firm.
We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect co-operation with our investigations. We will not tolerate corporate cover-ups.
The two hackers identified by Uber were prosecuted in the Northern District of California last year, pleading guilty in 2019 to charges of computer fraud. They are now awaiting sentencing.
This is not the first data breach that Uber has faced. In September 2014, 50,000 drivers were affected in a data breach when a third party accessed the company’s database.
How to handle a data breach
It is important for you to take lessons on how to handle a data breach based on Uber’s incident. Here are some guidelines to keep in mind,
1. Does your company have a data breach reporting policy? Every organisation should have a concrete policy in place on how people can report a data breach. This helps to avoid ambiguity and ensures people are accountable. If you would like guidance on this, get in touch with us.
2. Concealing a data breach is illegal. Under GDPR, a data breach must be reported to the ICO within 72 hours.
3. If you are aware of a data breach, you must communicate it to the right people at your organisation. They will then escalate it to the appropriate regulatory body such as the ICO.
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.