Former Uber CSO charged for covering up 2016 data breach
The former chief security officer of Uber is facing a criminal complaint in the U.S. for taking deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the 2016 data breach and making illegal hush-money payment to hackers.
The criminal complaint against former Uber chief security officer Joseph Sullivan was filed in a federal court in the District of California on Thursday. The complaint stated that Sullivan quietly paid off hackers by funneling the payoff through a bug bounty programme and also took deliberate steps to prevent knowledge of the breach from reaching the FTC.
The security incident involved a couple of malicious hackers accessing login credentials for one of Uber’s Amazon Web Services servers from coding site GitHub and using the stolen credentials to access a huge database that contained personal information of thousands of registered Uber drivers as well as 57 million customers, both from the United States as well as from Europe.
In order to hide the said breach, Uber paid a $100,000 ransom in bitcoin to the two individuals and chose to brush the incident under the carpet. However, in November 2017, the company’s new CEO Dara Khosrowshahi decided to come clean and announced the scale of the breach that took place a year ago and how Uber’s top executives conspired to keep the breach hidden from the public.
On 26th September 2018, Uber agreed to a $148 million nationwide settlement in the U.S. to resolve allegations that it violated state data breach reporting and reasonable data security laws by attempting to cover up the data breach and not notifying authorities about the incident.
“Uber’s decision to cover up this breach was a blatant violation of the public’s trust. The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law. Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data,” said California Attorney General Xavier Becerra.
In November 2018, Uber was also fined £385,000 by the Information Commissioner’s Office (ICO) for failing to secure the personal information of around 2.7 million UK customers, including 82,000 drivers and for paying the attackers responsible $100,000 to destroy the data they had downloaded.
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable. Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.
“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected,” said Steve Eckersley, Director of Investigations at the ICO.
According to the criminal complaint filed against Sullivan, he not only hid information about the data breach from the Federal Trade Commission and other authorities but also deceived Uber’s new management team by not sharing critical details about the breach with the new management team.
Even though the ransom payment was made before the hackers were identified, Sullivan chose to tell the new management team that payment had been made only after the hackers had been identified. He also edited an internal summary of the data security incident to remove details about the data that the hackers had taken.
If he is found guilty and convicted, Sullivan may face a maximum statutory penalty of five years in prison for the obstruction of justice and a maximum three years in prison for misprision of a felony.
“Silicon Valley is not the Wild West. We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush-money payments,” said United States Attorney David L. Anderson.