Introduction
If you used rideshare apps in 2016, then you’ll vividly remember the hack on Uber’s database that exposed 600K drivers’ license numbers and 57M users’ personal data.
At the time, their Chief Security Officer, Joe Sullivan, had just been hired the year prior. Then hackers emailed him November 2016 informing him of the data breach and demanding $100K in bitcoin to retrieve the data and hide the hack from public knowledge.
Why He Was Charged
When company databases get hacked, they are required by law to notify those users with affected PII (personally identifying information, like your full name and address) as well as authorities to investigate. In 2016, Uber should have immediately notified their userbase of 45M monthly riders, the FBI to look into it, various states that require the disclosure of breaches that affect a resident’s PII, and the Federal Trade Commission.
The breach came to light a year later; then in 2018, they paid $148M in settlements. Finally, in 2020, Joe Sullivan was charged with obstruction and withholding information about the breach. He was found guilty in October 2022 and currently faces up to five years in prison for obstruction and up to three years for misprision.
What You Should Do During a Cyber Event
If you receive notice that your database has been breached, you need to inform anyone whose PII may have also been included in that exposure. This is most likely to occur after you’ve been targeted on your work network, where you’re more likely to store private information about people other than yourself. There are different laws that dictate the acceptable time frame in which to report cyber events:
- Financial institution must report significant threats within 36 hours
- The American Bar Associate requires their attorneys to securely transmit and store client data
- HIPAA regulates the disclosure of private healthcare information; physically, verbally or electronically
- The Homeland Security Act contributes to the protection of our critical infrastructure
- The Gramm-Leach-Bliley Act requires financial services to safeguard PII and disclose how and why they share information
These are just a few affecting various institutions; the role you play within your organization also decides your reporting duties, what data you manage and the measures you take to protect the information under your purview. Joe Sullivan is a good, current and real-life example of what happens when you don’t disclosure serious data breaches when they happen.
Conclusion
Having your accounts compromised is bad enough! Don’t add to the horror by paying fees to hide the data breach from the affected users and the authorities. You could end up paying for it in settlements, lawyer fees and even jail time. When you accept management of other people’s PII, you must comply with security regulations and standards as expected of your position. That includes how you manage their data, when you may disclose it, and what to do in the event of improper outside access to that information.
Don’t give cybercriminals what they want. Protect your accounts from intrusion and report data breaches ASAP to avoid more trouble. Follow our blog for regular tips on keeping your systems cyber-secure!
References
- https://www.washingtonpost.com/technology/2022/10/05/uber-obstruction-sullivan-hacking/
- https://www.theguardian.com/technology/2022/oct/05/uber-joe-sullivan-former-security-chief-guilty-data-breach
- https://fortune.com/2022/10/06/uber-former-chief-security-officer-joseph-sullivan-convicted-cover-up-2016-data-breach-hackers-stole-millions-customer-records/
- https://expandedramblings.com/index.php/uber-statistics/
- https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach
- https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act