Joe Sullivan, the private hire app’s former chief security officer, has been found guilty of criminal obstruction and concealing a felony by a San Francisco Jury for the Uber Data Breach that took place in 2016.
What happened?
In 2016, Uber experienced a major data breach, putting at risk the data of 57 million passengers and drivers.
In most US states, you are legally required to disclose security breaches publicly in ‘the most expedient time possible and without reasonable delay’. Sullivan had other ideas. He worked to hide the data breach from the Federal Trade Commission (FTC), and even took steps to prevent the hackers from being caught.
The Uber Data Breach was only publicly disclosed a year later in 2017.
When Uber announced the hacking, several US state and federal institutions started circling the tech giant. “We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers,” said US attorney Stephanie M Hinds.
The hackers, 23-year-old Vasile Mereacre and 26-year-old Brandon Glover pleaded guilty to Uber Data Breach in October 2019.
Plan Insurance can provide bespoke taxi insurance quotes for all UK drivers. Just fill in our short online questionnaire, and our professional brokers will be in contact to arrange your insurance.
The ‘bug bounty’ program: Inviting the foxes into the house
It’s common for tech companies to offer incentives to software experts to find vulnerabilities in return for a payout or prize. Uber’s ‘bug bounty’ program began in March 2016.
Daniel Borges, part of Uber’s security response team, said he ‘thought it was a creative way to solve a problem. However, he did have second thoughts about inviting hackers into the program. It’s unclear from the reports whether the security team at Uber knew of the hacker’s background.
John Flynn, an information security offer that also reported to Joe Sullivan, testified in court. He said that ‘in the beginning, we wanted to get them to operate within the program because that was the system we had set up for these sorts of things’. It was a structured system for people to find faults or security issues and formally report them.
The hackers, however, had their own ideas. The team sensed trouble when the first hacker reached out to Sullivan’s personal email instead of through the official Uber cybersecurity portal. “The amount of money they were demanding was much higher than we would normally pay out for security flaws in the program. The point of the program is to find technical flaws, not exploit them and take advantage of them.” said Flynn.
The hackers demanded “six figures” and threatened to expose the personal data they’d stolen if they weren’t paid.
The aftermath
Prosecutors alleged Sullivan had agreed to pay the hackers $100,000 in bitcoin, and asked them to sign nondisclosure agreements that falsely denied the Uber Data Breach
Paying off the hackers allowed Uber to gather clues about the two men. Uber eventually identified them, requiring them to sign new agreements in their own names. It is believed that Sullivan took steps to prevent the hackers from being caught by authorities, to reduce PR fallout on himself and Uber.
In September 2018, Uber paid $148m to settle claims against them from US states that it had been too slow to disclose the hacking. In 2020, The US justice department specifically filed criminal charges against Sullivan.
The conviction is a dramatic fall from grace for Sullivan, who previously worked at the San Fransisco State attorney’s office prosecuting cyber-crime. He also worked as Facebook’s chief security officer, following positions as senior director of trust and safety at eBay and associate general counsel at PayPal.
On top of the 2016 breach, Sullivan was also accused of withholding information from Uber officials, who were working with the FTC to evaluate the extent of a 2014 data security breach.
The significance of the case
Sullivan’s trial is the first high-profile criminal prosecution of a senior tech executive over a data breach.
Many view this as a landmark case in determining how responsible security staff are when handling cybersecurity incidents. Ransomware attacks have increased in recent years, with one occurring every 11 seconds.
In the modern world, Cybersecurity is a daunting space to work in. There are organised crime networks coordinating ransomware campaigns and hacking groups backed by rogue governments operating globally.
It’s no wonder that the levels of demand for cybersecurity services and cyber insurance are so high.
Find out why 96% of our customers have rated us 4 stars or higher by reading our reviews on Feefo.