|
Lessons from Uber's Data Breach & Security
Cover-Up Scandal
Uber CISO's trial underscores the importance of truth, transparency, and trust
Failure to adhere to the three
T’s can have serious consequences, as this case shows.
 Truth,
transparency and trust are the three T’s that all CISOs and CSOs should embrace
as they march through their daily grind of keeping their enterprise and the data
safe and secure. Failure to adhere to the three T’s can have serious
consequences.
Case in point: A federal judge recently ordered
Uber Technologies to work with
its former CSO, Joseph Sullivan (who held the position from April 2015 to
November 2017), and
review a plethora of Uber documents that Sullivan has requested in unredacted
form for use in his defense in the upcoming criminal trial.
The case against Uber’s former
CSO
By way of background,
Uber’s former CSO faces a
five-felony count superseding indictment associated with his handling of the
company's 2016 data breach.
The court document, filed in December 2021, alleges Sullivan “engaged
in a scheme designed to ensure that the data breach did not become public
knowledge, was concealed, and was not disclosed to the FTC and to impacted users
and drivers.”
Furthermore, the two individuals, who are believed to have affected the hack and
subsequently requested payment for non-disclosure ultimately received $100,000
from Uber’s bug bounty program. These individuals were identified in media as,
Vasile Mereacre, a Canadian citizen living in Toronto, and Brandon Glover, a
Florida resident,
both of whom were later indicted for their breach of Lynda (a company acquired
by Linkedin).
Uber’s late breach
notification
It would be
November 2017, when the new CEO, Dara Khosrowshahi provided context
surrounding the breach and acknowledged that the advisory from the company was a
year late. Apparently, the discussion in the house at the time of the breach
cataloged the event as a “bug bounty” payout and not a breach, and thus no need
to disclose it. Semantics or subterfuge, the subsequent settlements, and
Khosrowshahi’s statement indicate the latter may be at play.
The
breach included names, email
addresses, and mobile phone numbers of 57 million Uber users around the world,
which included 600,000 of the company's drivers’ names and license numbers.
Included within the statement was the revelation of how two individuals
associated with the breach incident response had been terminated that same day
(no names provided).
&uuid=(email)) Meanwhile,
in September 2018, California, the San Francisco attorney general, and the
California state attorney
general
announced a $148 million nationwide settlement “resolving allegations that
Uber Technologies, Inc., violated state data breach reporting and reasonable
data security laws.”
The settlement included specific actions and reforms within Uber.
●
Implement and maintain robust
data security practices.
●
Comply with state laws in
connection with its collection, maintenance, and safeguarding of personal
information, as well as reporting of data security incidents.
●
Accurately and honestly
represent data security and privacy practices to better ensure transparency in
how the company’s driver and customer information is safeguarded.
●
Develop, implement and
maintain a comprehensive information security program with an executive officer
who advises key executive staff and Uber’s Board of Directors.
●
Report any data security
incidents to states on a quarterly basis for two years.
●
Maintain a corporate integrity program that includes a hotline to report
misconduct, quarterly reports to the board, implementation of privacy
principles, and an annual code of conduct training.
In October 2018, the
Federal Trade Commission (FTC) dropped its hammer, with Uber agreeing to a
settlement. Within the
settlement, the 2016 breach and the 2014 breach are each dissected and
explained. The pathway to the 2016 compromise? An Uber engineer had posted the
Amazon S3 datastore access key on GitHub. The hackers, “accessed Uber’s GitHub
page using passwords that were previously exposed in other large data breaches.”
Lesson for CISOs: Be honest
and transparent with board, C-suite
Fast forward to 2022 and the last piece of the legal morass enveloping Uber’s
2016 data breach is reaching its conclusion:
The trial of the former Uber
CSO Sullivan.
It is clear from the most recent court filings that Uber doesn’t wish to have
its internal emails splayed out on the table in court, and Sullivan’s attorney
believes that some of those internal emails will serve to mitigate and address
the allegations brought forward by the DOJ. Was the company’s legal team a party
to the semantic wordplay that cataloged the hackers as bug bounty awardees?
The judge has provided a timeline for the parties to sort out which internal
documents are contentious and to make their case pending judicial review and
adjudication. Then, the items will be declared to prosecutors.
As Violet Sullivan, cybersecurity and privacy attorney who serves as the vice of
client engagement at Redpoint Cybersecurity, observes,
the very real need to
effectively brief the board and C-suite on the realities of cybersecurity—It is
not 100% secure.
Furthermore, the harsh reality that many a CISO faces who don't take the time to
educate, find their
employment terminated in the event of a breach.
I agree. Much of the information security or CSO team’s success is predicated on
the allocation of resources. As detailed in the FTC settlement, what is
represented must match that which is practiced.
Uber is now enjoying years of
federal oversight and review of its “privacy program and for 20 years (beginning
in 2018) obtain
biennial independent, third-party assessments, which it must submit to the
Commission, certifying that it has a privacy program in place that meets or
exceeds the requirements of the FTC order.”
It is not difficult to
embrace the doctrine of truth,
transparency, and trust by making an investment upfront in basic cybersecurity
processes, event remediation, and, above all, consistent documentation processes.
It is much more cost-effective than the millions of dollars in fines, loss of
trust, and years of over-the-shoulder review by various entities of the federal
government.
csoonline.com
Here's the Daily's previous coverage on the
Uber case:
April 28, 2022:
Former Uber Chief Security Officer To Face Wire Fraud
Charges
December 22, 2021:
Former Uber Chief Security Officer To Face Wire Fraud
Charges
August 24, 2020:
Watch: Former Uber CSO Charged With Covering Up 2016 Data
Breach
August 21, 2020:
Former Chief Security Officer For Uber Charged With
Obstruction Of Justice
September 27, 2018:
Uber Fined $148 Million for Breach Cover-Up
February 7, 2018:
Uber Paid Hackers $100K to Destroy Stolen Data on 57M
people, Keep Quiet
December 1, 2017:
Three Uber security managers resign after CEO criticizes
practices
|
&uuid=(email))
&uuid=(email))
