United States: This week, Joe Sullivan, a former Uber security executive, will be prosecuted in what is believed to be the first instance in which an executive has been charged with a crime related to a data breach.
Arguments about whether Sullivan, the former head of security at the ride-sharing giant, failed to properly disclose a 2016 data breach that affected 57 million Uber users and drivers globally, according to the US District of San Francisco will be heard in court.
The case could set an important precedent about the responsibility of US security personnel and officials in the way they handle cybersecurity incidents at a time when reports of ransomware attacks have increased. And cyber security insurance premiums have increased.
The breach was first made public in November 2017 when Uber CEO Dara Khosrowshahi revealed that hackers had accessed the names, email addresses and phone numbers of 57 million Uber riders and drivers, as well as driver's license numbers of 600,000. had received. US Uber Driver.
Several US states have laws requiring public disclosure, such as Khosrowshahi's, most of which require that notification be made "in the shortest possible time and without undue delay".
However, Khosrowshahi acknowledged in his announcement that a full year has passed since the data breach.
At the time, Khosrowshahi said, "You might be wondering why we're talking about this now, a year later. The company has noted the delay and fired two executives who oversaw the response to the breach, One of whom was Sullivan.
Following Uber's disclosure, several federal and state inquiries were made. In an international settlement with 50 state attorneys general, Uber paid $148 million for failing to disclose a data breach in 2018.
Two hackers admitted to hacking Uber in 2019 and then extorting money from the company's "bug bounty" security research program. The Justice Department charged Sullivan with a felony in 2020.
Federal prosecutors claimed in court documents that Sullivan in an effort to hide the security breach instructed his team to "keep a strict control of the 2016 breach" and to treat the incident as a component of the bug bounty program. Had given.
According to the complaint, the program "was not allowed to reward a hacker who obtained personally identifiable information of users and drivers from an Uber-controlled system." Instead, it was designed to encourage hackers and security researchers to report vulnerabilities in exchange for financial rewards.
The complaint claims that the $100,000 bounty paid to hackers in the 2016 breach was by far the largest reward ever paid by a business as part of the program.
Additionally, federal prosecutors claim that Sullivan asked the hackers to sign an additional non-disclosure agreement (NDA), which "falsely represents that the hackers did not obtain or store any data during their intrusion." did."
Sullivan denied any allegations of cover-ups in 2018, months after leaving, and expressed his dismay at how quickly those at Uber had suggested the cover-up.
Sullivan or Uber did not immediately respond to inquiries for comment.
According to the Justice Department complaint, only Sullivan and former Uber CEO Travis Kalanick were said to have known the full scope of the hack and played a part in the choice to treat it as authorized disclosure through the bug bounty program. Was.
However, the security industry is divided over whether Sullivan should be held solely responsible for the breach, as the New York Times first reported.
While some have argued that Sullivan's involvement in this was obvious, others have questioned whether the roles of the company's other executives and its board should also be taken into account.
I don't know if Uber management knew about the cover-up or if Sullivan was asked to pay $100,000 to cover the security hole. Equifax's chief information security officer Jameel Farshi said in a LinkedIn post that the test would trace all of that information.
What I do know is that there is no dispute that there was a breach affecting 57 million people, Uber covered it, and Joe Sullivan… was involved in the cover-up.
As news of the ransomware attack grows, the trial will proceed. According to dangerous intelligence company SonicWall, ransomware attacks in the US increased by more than 95% in 2021.
Schools and health facilities are the targets of many of these attackers. Over Labor Day weekend, hackers conducted a cyberattack against the Los Angeles Unified School District, America's second largest school district.
US senator disagrees with Israeli army report on journalist killed by Palestinians
Two counteroffensives by Ukraine against Russian forces are currently underway
FBI discovered a classified document on foreign powers' nuclear capabilities at Mar a Lago