In 2016, Uber was fined $148 million for a data breach that affected more than 57 million users. Think your organization is too small to care? Think again. Keep reading to learn what happened at Uber and why it matters to you.

Joe Sullivan is an Internet security expert. Having served as a federal prosecutor with the United States Department of Justice, he then worked as a Chief Information Security Officer at Facebook and Uber. Pretty impressive!

Let’s focus on Joe’s role and work at Uber.

In Spring 2015, Sullivan joined Uber as its first Chief Information Security Officer. At that time, Uber was experiencing multiple safety and security issues, and Mr. Sullivan’s primary focus was on the safety of riders and drivers, both in the digital space and in the physical world.

In November 2016, Uber suffered a data breach that compromised the personal information of more than 57 million users. The rideshare giant didn’t disclose the breach until November 2017, when its current chief executive officer took over and fired Sullivan.

In 2018, Uber paid $148 million to settle with attorneys general across the United States for violating state data breach disclosure laws.

The delayed notification was a bad idea. Worse still were the steps taken to conceal full details about the breach and Uber’s handling of the breach.

In August 2020, the US Department of Justice announced criminal charges against Sullivan for obstruction of justice related to his handling of the 2016 data breaches at Uber.

The criminal complaint said Sullivan arranged to pay a ransom for the breach as a “bug bounty” to conceal its true nature, and to falsify non-disclosure agreements with the hackers to say they had not obtained any data. In December 2021, he faced additional charges of wire fraud.

On October 6th 2022, Sullivan was convicted of one count of obstruction of justice, and one count of misrepresentation.

There is a major point here – whoever is deemed to be the most senior person in the organization responsible for security has several obligations.

First and foremost, that senior officer has a responsibility to secure data.

If there’s a breach, there is a responsibility to disclose.

The guilty verdict of the Uber Chief Information Security Officer underscores the need for more transparency between the board, risk-committees, and the executive team. More specifically, cyber incidents and responses to those incidents must be reported, and general cyber security awareness is key.

TGT has a team of Information Security Officers who can help you to think through your obligations and plan in such a way as to reduce or avoid embarrassment and liability in the event of a breach.

Call us today.

References: