Joe Sullivan, Uber’s former security chief, goes on trial this week in what is believed to be the first instance of an executive facing criminal charges in connection with a data breach.
The US District Court in San Francisco will hear arguments on whether Sullivan, the ride-sharing company’s former chief of security, neglected to properly disclose a 2016 data breach that affected 57 million Uber riders and drivers worldwide. At a time when allegations of ransomware attacks have increased, and cybersecurity insurance rates have skyrocketed, the case might set a significant precedent regarding the accountability of US security personnel and executives for how the organizations for which they work manage cybersecurity crises.
The Background
Back in November of 2017, the breach first came to light. Dara Khosrowshahi, Uber’s chief executive, revealed that hackers gained access to 600,00 US driver’s license plates, names, emails, and phone numbers of 57 million Uber riders and drivers.
Public disclosures such as Khosrowshahi’s are required by law in several US states, with most legislation requiring the notification to be issued “in the most expedient time possible and without unreasonable delay”.
However, Khosrowshahi’s announcement included an admission: the information had been exposed for a whole year beforehand. Khosrowshahi claimed at the time that the business had investigated the delay and removed two officials, one of whom was Sullivan, who had headed the response to the breach.
Uber paid $148 million in a nationwide settlement with 50 state attorneys general in 2018 for failing to disclose the data breach. The two hackers pled guilty in 2019 to hacking Uber and then extorting the company’s “bug bounty” security research program. The Department of Justice charged Sullivan with a crime in 2020.
The Trail
According to the Justice Department lawsuit, only Sullivan and former Uber CEO Travis Kalanick were aware of the entire scope of the hack. They played a role in the decision to classify it as an approved disclosure through the bug bounty program. However, as the New York Times first reported, the security profession is divided on whether Sullivan should be held entirely accountable for the attack. Some have questioned if the role of other corporate officials and the board of directors should also be probed, while others believe Sullivan’s involvement was obvious.
The trial will take place as reports of ransomware attacks increase. According to the threat intelligence firm SonicWall, ransomware assaults in the United States climbed by more than 95% in 2021. Many of those assailants targeted hospitals and schools. Over the Labor Day weekend, hackers launched a cyber-attack on the Los Angeles Unified School District, the country’s second-largest school district.
