October 7, 2022 – Uber’s former security chief has been convicted of attempting to cover up a massive data breach that impacted the personal information of millions of consumers in 2016.
A San Francisco jury has found Joe Sullivan, who joined the ride-hailing giant as chief security officer (CSO) a few months before the breach took place, of criminal obstruction and concealing the incident from cybersecurity authorities.
“Technology companies in the Northern District of California collect and store vast amounts of data from users,” US Attorney Stephanie M Hinds said in a statement. “We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers. Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught.”
The incident reportedly exposed personal data of 57 million passengers and drivers, including names, phone numbers, email addresses, and roughly 600,000 driving licence numbers.
“We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation than that of their employers than in protecting users.”
At the time Sullivan was hired, Uber had already suffered a data hack in 2014, with personal information of around 50,000 users being exposed. Sullivan concealed the subsequent 2016 breach from the Federal Trade Commission (FTC) while the previous cybersecurity incident was still under investigation. Sullivan was fired by Uber in 2017.
The massive breach did not come to light well until 2017, when the current CEO Dara Khosrowshahi joined Uber. The company has since paid $148 million to settle the lawsuit brought by the US government and 50 states over the ride-hailing giant’s failure to report the incident to authorities and attempts to cover it up.
Last month, Uber confirmed it suffered another cybersecurity attack which saw several of its internal systems being accessed by a hacker, who had announced the hack on the company’s channel on workplace messaging app, Slack. The company claimed, however, that no sensitive data was compromised as part of the attack.