Facts in a nutshell:
- In 2016, Joseph Sullivan, Uber’s former chief security officer (CSO), covered up a breach exposing the data of more than 50 million Uber customers and drivers.
- This case may be the first time a company executive has faced criminal charges over a cyber attack. The CSO was fired and federally charged with one count of obstruction of justice (Federal Trade Commission) and one count of misprision (deliberate concealment) of a felony.
- With the breach affecting drivers in the UK and Netherlands, Uber paid over $1.2 million in fines to data protection authorities. “The October 2016 data breach affected approximately 2.7 million user accounts in the UK” — Spokesperson (NCSC)1
What happened, exactly?
- Hackers breached 57 million Uber users' and drivers' accounts and demanded $100,000 to delete their copy of the stolen data. This includes names, phone numbers, email addresses and more than 600,000 US drivers' licence numbers.
- Uber’s CSO at the time, disguised the “ransom money” as payment to a bug bounty program.
- The payment was made in bitcoin, and hackers were asked to sign non-disclosure agreements, falsely stating that no data was lost.
- The incident was not disclosed to the FTC or the public until their new CEO, Dara Khosrowshahi, joined the company in 2017.
- Convicted on the 5th of October 2022, Sullivan is currently facing a maximum of eight years in prison for obstruction of justice and failure to report the breach.
- In a statement published in 2017, Khosrowshahi assured the Uber community that “trip location history, credit card numbers, bank account numbers, social security numbers or dates of birth” were not found to be downloaded by the hackers2.
News of Sullivan’s conviction comes on the heels of Uber’s most recent breach – an employee shared passwords to a hacker posing as a corporate IT worker, in an attack known as “social engineering”. This technique, SocialProof Security’s CEO Rachel Tobac says, is gaining popularity as a means of “gain[ing] a foothold within tech companies”3.
After discovering the breach last month, Uber’s chief information security officer (CISO) Latha Maripuri assured employees that the hack was being investigated5.
What can you do to avoid data breaches?How can ISO 27001 help fight against data breaches?
“To err is human” – human error can always happen.
But simple mistakes can be avoided. Maintaining an ISO 27001 compliant ISMS helps your company calculate and manage information security risks. In fact, data breach reporting is a key requirement of ISO 27001 compliance.
Here are a few more benefits of becoming ISO 27001 compliant:
- Improved data protection - Establish security controls to ensure the confidentiality, integrity and availability of data
- Immunity from penalties - Increase resilience to cyber attacks and avoid being fined for non-compliance
- Compliance with legality - Abide by legal, statutory, regulatory, and contractual obligations by securing information assets
- Efficient risk management - Ensure your ability to resume operations with minimal disruptions in the wake of a cyber attack
- Technology and compliance - Establish a centrally managed system to stay updated on and respond to vulnerabilities and security threats
- Competitive edge - Prove your commitment to information security and gain an edge over your competitors.
How can DataGuard help you?
Falling prey to data breaches can cause heavy fines and compromise the reputation of your company. Uber’s mismanagement of the 2016 breach cost them an additional $148 million, paid to settle a case filed by the 50 states and the District of Columbia6, for attempting to cover up the incident.
Cyber attacks are avoidable, and we can help you reduce the risk of a data breach with our holistic solution for managing information security, InfoSec-as-a-Service.
- We have a 100% first-time pass rate for customers completing external information security audits.
- We help digitise processes, automate manual tasks and compile a single source of truth for your information security.
- We help to get you ISO 27001 certified and earn you a competitive advantage that helps to shorten deal cycles.
Let us look after the technicalities of your organisation’s information security and free up valuable time for you to run your business.