Uber Security Chief concealed data breach – official

The case could have significant impact on the way future data breaches are penalized by law and fines.
6 October 2022

How will data breaches be penalized, post-Uber?

Uber has, to put it mildly, not been a lucky company when it comes to data breaches. A major data breach and a high-ranking whistleblower have rocked public confidence in the company over the course of the last five years. That confidence won’t be bolstered by the findings of a San Francisco jury this week that former Uber Technologies Inc chief security officer, Joseph Sullivan, knowingly concealed evidence of a major cybersecurity incident in 2016 – for over a year.

To some extent, it’s reassuring that Sullivan was fired from Uber in 2017, but the jury this week found him guilty on two counts, one of obstruction of justice and the other of the deliberate concealment of a felony.

57 million users

The case revolves around a breach at Uber’s systems that affected the data of 57 million passengers and drivers in 2016, including data from seven European countries. 2.7 million of the 57 million total users whose data was affected by the breach were in the UK.

The company’s non-disclosure of the incident for a full year potentially left the affected data loose in the world, with the affected people entirely clueless that they had self-protective measures available to them. It’s arguable that the company itself should have been prosecuted for this act of staggering data negligence, but it did a deal with prosecutors back in July this year to hang the already-dismissed Sullivan out to dry and separate itself from any potential criminal consequences – having already paid out a fortune to settle claims against its slow reaction to the breach.

Stephanie Hinds, US Attorney for the Northern District of California, said “Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission (FTC) and took steps to prevent the hackers from being caught.”

In fact, those “steps to prevent the hijackers from being caught” were alleged by prosecutors in 2020 to have amounted to arranging to pay the hackers $100,000 in Bitcoin in exchange for the attackers signing non-disclosure agreements – paperwork that essentially lied, saying the hackers had not in fact stolen any user or driver data.

In a note that relatively clears the company itself of wrongdoing in the 2016 case, Sullivan was also accused of withholding information from Uber officials. They could, if they had known, have reported the breach to the FTC, so the separation between the board and Sullivan is important in putting the Uber of 2016 free and clear of any share in the wrongdoing.

The data breach double-down

It’s worth noting that in 2016, the FTC was already evaluating Uber’s data security protocols, following a previous data breach in 2014. While no consideration of motive was given during the ruling this week, and any such considerations must necessarily be nothing but speculation, concealing details of a recent data breach in a company already being investigated for a previous data breach could from some angles be seen as an understandable error. The 2016 breach eventually cost Uber $148 million, when it settled claims by all 50 states and by Washington, D.C. that it had been too slow as a company in disclosing the breach.

The Uber breach has been viewed as a test case for the dividing lines of culpability in cases of data breaches, between individual staff members, the boards of their companies, and the companies as entities in their own right. Some of the biggest names in the technological business world, including Amazon and Meta, have fallen foul of data laws (especially European data laws, embodied in the fairly strict GDPR, or General Data Protection Regulation), with Amazon being fined a record-breaking $800 million for the mishandling and improper lack of care of its users’ data. No individual officer from any of these major technology companies has been held personally criminally responsible for the laxity of the company with regard to its users’ data.

A golden age of data probity?

But the Uber case has been watched particularly for its consequences in terms of data breaches, especially since the number of data breaches in companies of all sizes has risen alarmingly since the evolution of the remote working model and the end of lockdowns. There have been over 4,000 publicly disclosed data breaches in 2022 alone. That has meant that cyber-insurance brokers have determined either to significantly raise their premiums, or carve any provision to pay in cases of ransomware out of company policies, or both, with 2023 expected to be a particularly hard year to get cyber-insurance against cases of data breach.

The message from the Uber case seems to be that while companies could be forced to pay extremely high settlements for concealing data breaches or avoidable carelessness as regards the data of their users, individual senior officers or managers could face personal liability if they do not inform their board immediately of any breaches of which they become aware. (Bribing hackers to say they didn’t take any data with sackfuls of Bitcoin is, probably understandably, likely to be a bridge too far in any case). What Sullivan’s final penalty will be for his actions in the case of the 2016 Uber breach is as yet unknown, and will likely send further shivers of panic down C-suite spines. Whether it will be enough to scare officers, boards, and companies into a new era of data probity remains to be seen.