Uber Security Chief Faces Criminal Charges Over Breach Handling

As former president Richard Nixon learned the hard way, the cover-up is often worse than the crime.

Joe Sullivan is Uber’s former security officer. He is on trial for how Uber’s 2016 breach was handled.

Specifically, Uber was hacked back in 2016. Data on 57 million drivers and customers was compromised. The breach was not disclosed until November 2017 with Uber’s then CEO revealed it.

At the time of disclosure, their CEO said they investigated the delay and fired two executives. Uber paid almost $150 million in fines over the case.

Uber is well known for ignoring laws and asking for forgiveness. While they are not admitting this now that they have been caught, it is likely that there was some executive “guidance” on the subject.

Prosecutors say that Sullivan instructed his team to keep quiet about the breach. He also is reputed to have told his team to treat the breach as part of their bug bounty program. Bug bounty programs do not apply to people who break the law and steal data, in my experience.

The hackers were “rewarded” with a $100,000 reward, larger than any reward Uber had previously given, and required to sign a supplemental NDA (which actually was not, at least not exclusively, an NDA). The document the crooks signed said that they had not obtained any data or stored any data during their intrusion. This was a lie and Uber likely knew that.

In 2018, months after Sullivan was fired, he contested any claims there was a coverup. Even if this was true, and the state is saying it is not true, that doesn’t explain why they didn’t disclose the breach for a year. That delay, by itself, is a coverup.

Of course, if you have a signed document that says that they didn’t take any data, even if you know the document is a lie, you could claim that you didn’t disclose the breach because there was not theft of data.

The DoJ said that Uber’s former CEO, Travis Kalanick, was also aware of the game plan. He is not, currently, being charged.

There are several morals here.

First, if you are in charge of security and you are asked or told to do something which you know or believe to be illegal, playing along can get you in serious trouble and you should get legal advice. You might be able to be a whistleblower, which gives you a number of protections.

Second, if you are the CEO and you decide to throw your employee under the bus, it might work out okay for you, but it also might not.

Bottom line here, the laws continue to get more specific and you are likely to get into legal trouble if you don’t follow them. Coverups almost always get you in trouble if you get caught.

By the way, Uber is not paying for Sullivan’s legal defense, that is coming out of his own pocket, although he might sue Uber later to recover those costs.

Credit: The Guardian