Uber was hacked in 2016, revealing the personal information of 600,000 Uber drivers and 57 million Uber passengers. If you joined Uber in or prior to 2016, there’s a good chance your data was exposed in the Uber Data Breach. Why are you learning about this now? Because on August 20, 2020, the Federal Trade Commission filed a criminal complaint against Joseph Sullivan, Uber’s former Chief Security Officer, because he not only didn’t report the crime, he actively worked to “conceal, deflect, and mislead the Federal Trade Commission about the breach,” according to the FTC.
About the Uber Data Breach
This wasn’t even the first time that Uber had been hacked: Uber had been breached in 2014, and Sullivan was selected by Uber to respond to the FTC’s inquiries into that data breach. About ten days after Sullivan provided his testimony to the FTC, he was contacted by two hackers and told that they had accessed Uber’s data. According to Uber in its own blog post on the same day as the FTC and FBI’s announcement, the hackers accessed "data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure."
The Uber Driver data that was breached included names and drivers’ license numbers, but that data was also among the 57 million Uber Rider Data, whose names, email addresses and mobile phone numbers were among the breached data.
Concealing the Uber Data Breach
Sullivan and his team took less than 24 hours to confirm that the Uber Data Breach. However, he then worked with the hackers to pay them “hush money” in exchange for a promise not to reveal the hack to the public.
The payment was made to the hackers via Bitcoin under false names, which were also used on a written non-disclosure agreement, which included a “false representation” that no data was actually taken. In order to help conceal the breach, the payment was facilitated through a “bug bounty” program. Such programs are used to reward white-hat hackers when they discover, but do not exploit data vulnerabilities.
The true identity of the hackers were later discovered to be Brandon Charles Glover of Florida and Vasile Mereacre of Toronto. Sullivan sought to have them re-sign their non-disclosure agreement under their true names. At least one other Uber employee was involved in the preparation of the agreement, but according to the FBI, "When an Uber employee asked Sullivan about this false promise, Sullivan insisted that the language stay in the non-disclosure agreements."
Sullivan Reveals the Breach to Uber Management
Uber Founder Travis Kalanick resigned as CEO in 2017, and new management, including a new CEO, Dara Khosrowshahi, were hired in August. Sullivan told the new CEO about the 2016 breach, and then asked his team for a summary of the event to present to Khosrowshahi. Sullivan then edited the draft summary prepared by his team by removing details about the data that was taken, and then by adding false information that the payments were made only after the true identities of the hackers were known.
Uber’s new management ultimately discovered the truth and disclosed the Uber data breach publicly, and to the FTC, in November 2017.
Had Sullivan reported the breach rather than trying to cover it up, the FBI says that no charges would have been filed. But given the current facts, the criminal complaint filed on August 20 alleges that Sullivan deceived Uber’s new management team about the 2016 breach. The FBI is charging Sullivan with “obstruction of justice, in violation of 18 U.S.C. § 1505; and misprision of a felony, in violation of 18 U.S.C. § 4.” (The term “misprision” is the deliberate concealment knowledge of a felony or treasonable act.)
What You Can Learn From The Uber Data Breach
There are several lessons to be learned from this story, not the least of which is that cloud-based services require the same or higher level security as your in-house data. All cloud-based systems come with security by default, but they also come with security holes by default, and it’s your cybersecurity team’s responsibility to plug them. Not only are there optimizations that can be done within most cloud-based systems, but you can also increase and optimize your security around the cloud services with cloud-optimized firewalls, mandatory file and folder-based encryption, SIEM and Security Operations Center technologies, and other techniques.
The other lessons have to do with cover-ups. While the data breach penalties that corporations can face can range into the tens or hundreds of millions of dollars, not reporting data breaches can result in even worse consequences, including criminal penalties.
What You can Do
Some data security breaches have one level of penalties in the event of a breach, and a much higher level of penalties if there is no plan to deal with the breach, or if the plan is not followed. All of this serves as a warning to not only secure your business data, but to also have procedures in place in the event of an incident like the Uber data breach. Digital Uppercut is here to help you with both your security and your plan. Call Digital Uppercut at 818-913-1335 or contact us online today.