Joe Sullivan’s trial is believed to be the first case of an executive facing criminal charges over such a breach
The US district court in San Francisco will hear arguments on whether Joe Sullivan failed to properly disclose a 2016 breach. Photograph: Richard Drew/AP
Uber’s former security officer, Joe Sullivan, is standing trial this week in what is believed to be the first case of an executive facing criminal charges in relation to a data breach.
The US district court in San Francisco will start hearing arguments on whether Sullivan, the former head of security at the ride-share giant, failed to properly disclose a 2016 data breach affecting 57 million Uber riders and drivers around the world.
At a time when reports of ransomware attacks have surged and cybersecurity insurance premiums have risen, the case could set an important precedent regarding the culpability of US security staffers and executives for the way the companies they work for handle cybersecurity incidents.
The breach first came to light in November 2017, when Uber’s chief executive, Dara Khosrowshahi, revealed that hackers had gained access to the driver’s license numbers of 600,000 US Uber drivers as well as the names, email addresses and phone numbers of as many as 57 million Uber riders and drivers.
Public disclosures like Khosrowshahi’s are required by law in many US states, with most regulations mandating that the notification be made “in the most expedient time possible and without unreasonable delay”.
But Khosrowshahi’s announcement came with an admission: a whole year had passed since the information had been breached.
“You may be asking why we are just talking about this now, a year later,” Khosrowshahi said at the time, adding that the company had investigated the delay and had fired two executives who had led the response to the breach, one of whom was Sullivan.
Uber’s disclosure sparked several federal and statewide inquiries. In 2018, Uber paid $148m over its failure to disclose the data breach in a nationwide settlement with 50 state attorneys general. In 2019, the two hackers pleaded guilty to hacking Uber and then extorting Uber’s “bug bounty” security research program. In 2020, the Department of Justice filed criminal charges against Sullivan.
In court filings, federal prosecutors alleged that in an attempt to cover up the security violation, Sullivan had “instructed his team to keep knowledge of the 2016 Breach tightly controlled” and to treat the incident as part of the bug bounty program.
That program was intended to incentivize hackers and security researchers to report vulnerabilities in exchange for cash rewards, but it did not allow for “rewarding a hacker who had accessed and obtained personally identifiable information of users and drivers from Uber-controlled systems”, the complaint says.
The hackers in the 2016 breach were rewarded $100,000, the complaint says, more than any bounty the company had paid as part of the program until that point.
Sullivan also allegedly had the hackers sign a supplemental non-disclosure agreement (NDA) which “falsely represented that the hackers had not obtained or stored any data during their intrusion”, federal prosecutors wrote.
In 2018, months after he was fired, Sullivan contested any claims of a cover-up and said he was “surprised and disappointed when those who wanted to portray Uber in a negative light quickly suggested this was a cover-up”.
Neither Sullivan nor Uber immediately responded to a request for comment.
The justice department complaint alleged that only Sullivan and the former Uber chief executive Travis Kalanick had knowledge of the full extent of the hack as well as a role in the decision to treat it as an authorized disclosure through the bug bounty program. However, as the New York Times first reported, the security industry is divided over whether Sullivan deserves to be held solely responsible for the breach. Some have questioned whether the role of other company executives and its board should be investigated as well, while others say Sullivan’s role in it was clear.
“I don’t know if Uber management knew about the concealment … or if Sullivan was directed to make the $100,000 payment to hide the breach. The trial will ferret all that out,” Jamil Farshchi, the chief information security officer at Equifax, wrote in a Linkedin post. “What I do know is that nobody is disputing that a breach of 57 million people occurred, Uber concealed it, and that Joe Sullivan … was involved in the concealment.”
The trial will play out as reports of ransomware attacks continue to rise. In 2021, the US saw a more than 95% increase in ransomware attacks, according to the threat intelligence firm SonicWall. Many of those attackers have targeted healthcare facilities and schools. Hackers targeted the Los Angeles unified school district, the second-largest school district in the US, with a cyber-attack over Labor Day weekend.
… as you’re joining us today from India, we have a small favour to ask. Tens of millions have placed their trust in the Guardian’s fearless journalism since we started publishing 200 years ago, turning to us in moments of crisis, uncertainty, solidarity and hope. More than 1.5 million supporters, from 180 countries, now power us financially – keeping us open to all, and fiercely independent.
Unlike many others, the Guardian has no shareholders and no billionaire owner. Just the determination and passion to deliver high-impact global reporting, always free from commercial or political influence. Reporting like this is vital for democracy, for fairness and to demand better from the powerful.
And we provide all this for free, for everyone to read. We do this because we believe in information equality. Greater numbers of people can keep track of the events shaping our world, understand their impact on people and communities, and become inspired to take meaningful action. Millions can benefit from open access to quality, truthful news, regardless of their ability to pay for it.
Every contribution, however big or small, powers our journalism and sustains our future.
https://www.theguardian.com/technology/2022/sep/06/uber-joe-sullivan-trial-security-data-breach
