Connect with us

Hi, what are you looking for?


Uber’s ex-security chief faces landmark trial over data breach that hit 57m users

Uber’s former security officer, Joe Sullivan, is standing trial this week in what is believed to be the first case of an executive facing criminal charges in relation to a data breach.

The US district court in San Francisco will start hearing arguments on whether Sullivan, the former head of security at the ride share giant, failed to properly disclose a 2016 data breach affecting 57 million Uber riders and drivers around the world.

At a time when reports of ransomware attacks have surged and cybersecurity insurance premiums have risen, the case could set an important precedent regarding the culpability of US security staffers and executives for the way the companies they work for handle cybersecurity incidents.

The breach first came to light in November 2017, when Uber’s chief executive, Dara Khosrowshahi, revealed that hackers had gained access to the driver’s license numbers of 600,000 US Uber drivers as well as the names, email addresses and phone numbers of as many as 57 million Uber riders and drivers.

Public disclosures like Khosrowshahi’s are required by law in many US states, with most regulations mandating that the notification be made “in the most expedient time possible and without unreasonable delay”.

But Khosrowshahi’s announcement came with an admission: a whole year had passed since the information had been breached.

“You may be asking why we are just talking about this now, a year later,” Khosrowshahi said at the time, adding that the company had investigated the delay and had fired two executives who had led the response to the breach, one of whom was Sullivan.

Uber’s disclosure sparked several federal and statewide inquiries. In 2018, Uber paid $148m over its failure to disclose the data breach in a nationwide settlement with 50 state attorneys general. In 2019, the two hackers pleaded guilty to hacking Uber and then extorting Uber’s “bug bounty” security research program. In 2020, the Department of Justice filed criminal charges against Sullivan.

In court filings, federal prosecutors alleged that in an attempt to cover up the security violation, Sullivan had “instructed his team to keep knowledge of the 2016 Breach tightly controlled” and to treat the incident as part of the bug bounty program.

That program was intended to incentivize hackers and security researchers to report vulnerabilities in exchange for cash rewards, but it did not allow for “rewarding a hacker who had accessed and obtained personally identifiable information of users and drivers from Uber-controlled systems”, the complaint says.

The hackers in the 2016 breach were rewarded $100,000, the complaint says, more than any bounty the company had paid as part of the program until that point.

Sullivan also allegedly had the hackers sign a supplemental non-disclosure agreement (NDA) which “falsely represented that the hackers had not obtained or stored any data during their intrusion”, federal prosecutors wrote.

The justice department complaint alleged that only Sullivan and the former Uber chief executive Travis Kalanick had knowledge of the full extent of the hack as well as a role in the decision to treat it as an authorized disclosure through the bug bounty program. However, as the New York Times first reported, the security industry is divided over whether Sullivan deserves to be held solely responsible for the breach. Some have questioned whether the role of other company executives and its board should be investigated as well, while others say Sullivan’s role in it was clear.

“I don’t know if Uber management knew about the concealment … or if Sullivan was directed to make the $100,000 payment to hide the breach. The trial will ferret all that out,” Jamil Farshchi, the chief information security officer at Equifax, wrote in a Linkedin post. “What I do know is that nobody is disputing that a breach of 57 million people occurred, Uber concealed it, and that Joe Sullivan … was involved in the concealment.”

Read more:
Uber’s ex-security chief faces landmark trial over data breach that hit 57m users

You May Also Like


The head of the International Monetary Fund has warned of increased risks to the stability of the financial system after weeks of banking sector...


After taking a breather in the week before this one, the Indian equity markets resumed their up move. The headline index continued with its...


It was supposed to be a debacle. As the Second World War drew to a close, the nation’s leading economists feared that, once the...


Small businesses are bringing forward their finance applications in order to beat expected further interest rate rises, according to new research. Four-in-ten (44%) SME...

Dislaimer:, its managers, its employees, and assigns (collectively “The Company”) do not make any guarantee or warranty about what is advertised above. Information provided by this website is for research purposes only and should not be considered as personalized financial advice. The Company is not affiliated with, nor does it receive compensation from, any specific security. The Company is not registered or licensed by any governing body in any jurisdiction to give investing advice or provide investment recommendation. Any investments recommended here should be taken into consideration only after consulting with your investment advisor and after reviewing the prospectus or financial statements of the company.

Copyright © 2023 | All Rights Reserved