uber cybersecurity leak scandal

Over the past few years, the road has not been smooth for former Uber Chief Security Officer Joseph Sullivan. On December 21, 2021, three additional wire fraud charges were added to the felony obstruction and misprision counts he was already facing due to his alleged activities in 2016.

On that date in 2021, Acting United States Attorney Stephanie M. Hinds and FBI Special Agent in Charge Craig D. Fair announced that the additional charges were being handed down as a result of the part that Mr. Sullivan played in the alleged attempted cover-up of the hack against Uber Technologies that occurred in 2016. The incident compromised an estimated 57 million customer and driver records. At that time, Mr. Sullivan, 52, worked for Uber as their Chief Security Officer.

Hackers sent word to Mr. Sullivan in 2016 that they had successfully stolen an Uber database containing over 600,000 pieces of personally identifying information (PII) consisting of driver’s license numbers that were associated with particular Uber drivers. 

According to the indictment, Sullivan allegedly set up a six-figure payment to two of the hackers in exchange for their silence about the data breach. The indictment also claims that Sullivan attempted to keep victims in the dark about the hack and even contrived to prevent the Federal Trade Commission (FTC) from learning about the incident to keep money flowing to his company without interruption.

The ramifications of Sullivan’s behavior are serious. Special Agent in Charge Fair indicated that had the event been fully disclosed to the proper authorities in a timely fashion, the government would have been better able to assist Uber in dealing with the consequences. 

When Sullivan was alerted to the breach by the hackers who had committed it via email, he confirmed that it was legitimate within 24 hours. It is alleged that he then went into damage control mode instead of reporting the incident. He took steps to pay off the hackers and have them sign nondisclosure agreements falsely stating that no information was stolen or stored. He funneled the hackers’ payments through a third-party liaison who passed the money to so-called “white hat” hackers who identify cybersecurity threats without sabotaging data.

Finally, Uber paid the two hackers $100,000 in Bitcoin even though the company did not learn their names until 2017. 

Ultimately, the hackers were identified and prosecuted in the Northern District of California. On October 30, 2018, they pleaded guilty to computer fraud conspiracy charges and await sentencing. Sullivan is charged with three counts of wire fraud, obstruction of justice, and misprision of a felony. 

If convicted, he could spend a maximum of 20 years in prison for each wire fraud count, five years for obstruction of justice, and three years for misprision. Sullivan’s arraignment on the new charges has not yet been scheduled.

In 2017, Uber’s management discovered what it had learned about the breach and disclosed it to the public and to the FTC in November of that year. The company continues to cooperate with ongoing federal inquiries. The case against Sullivan is being prosecuted by the Corporate and Securities Fraud Section of the U.S. Attorney’s office.

Was It Possible to Avoid this Situation?

It is possible that this situation could have been avoided if Mr. Sullivan had reported the incident to the proper authorities in a timely fashion. By taking steps to pay off the hackers and have them sign nondisclosure agreements falsely stating that no information was stolen or stored, he prevented the Federal Trade Commission from learning about the incident and allowed Uber to continue operating without interruption.

Why are Managed Security Services Vital in Such Cases?

Cybersecurity is vital in such cases because it can help prevent hackers from accessing sensitive information. Managed security services can offer a range of tools and services, such as 24/7 monitoring, threat intelligence, and vulnerability assessment, to help organizations detect and respond to cyber threats. Companies that take these steps can significantly reduce the risk of data breaches and other types of cyberattacks.