By Erin Ayers, Advisen
The U.S. Department of Justice last week charged Uber’s former chief security officer in a case that has become an object lesson in how not to handle a data breach.
Joseph Sullivan, Uber’s CSO from 2015 to 2017, faces allegations that he tried to cover up a 2016 data breach involving the personal information of about 57 million Uber riders and drivers. According to the complaint, two hackers contacted Sullivan after accessing Uber’s system and demanded a six-figure payment in exchange for their silence. Justice officials say Sullivan paid the then-unidentified hackers $100,000 via a bug bounty program and had them sign non-disclosure agreements saying they hadn’t accessed any data.
At the time, Uber and Sullivan were working with the Federal Trade Commission’s investigation of Uber’s 2014 data breach and officials say Sullivan was quite familiar with how a genuine data breach should have been handled. Classifying the breach as stemming from friendly white-hat hackers rather than malicious actors went about as well as one might expect, especially when the hackers were later prosecuted for their successful attacks on other tech companies.
“Silicon Valley is not the Wild West,” said U.S. Attorney David L. Anderson. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”
The regulatory message to date for organizations appears to be that if you have a data breach, don’t try to hide the data breach. Globally, enforcement officials tend to be a bit more forgiving for breached businesses that a. tried to prevent cyber events to the best of their abilities and b. that provide proper notification to affected parties and cooperate post-event. At this point, with the widespread attention to cyberattacks and their consequences, not to mention laws governing data breaches at the state and federal level, no firm can claim they felt that attempting an elaborate cover-up of a data breach was the best idea. This case illustrates that an organization that acts like their customers’ data means something to them, as it does to their customers, fares much better than the alternative.
“Concealing information about a felony from law enforcement is a crime,” said Deputy Special Agent in Charge Craig Fair, in a statement on the charges. “While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”
Catching the bad actors
One of the most frequent questions that comes up during conferences, virtual events, and webinars is “How do we catch the bad guys? Does working with law enforcement help?” It’s an understandable question because for many, inside and outside the insurance industry, there appears to be this sense of helplessness, that cyberattacks will just keep coming because the cybercriminals know far too well how to hide their tracks and will never be caught or they’ll be identified and never prosecuted. That’s why it’s helpful to hear, as in the case of the Uber hackers or the teen thieves who orchestrated the Great Twitter Bitcoin Heist of 2020, that actual arrests take place – although in the case of the Twitter hack, it seems like the investigation did not require much heavy lifting. Another good example is this excellent read (in two parts) from Brian Krebs about capture of an “ID theft kingpin,” someone who made $3 million per year swindling data brokers out of their valuable wares. It’s a great inside look at the profits and the perils of the data breaches that make up the day-to-day of cyber service providers.
Editor Erin Ayers can be reached at firstname.lastname@example.org