Uber Hack Attack

2014 Data Breach

1. What Happened:
In 2014, hackers broke into Uber's systems and accessed the personal information of
around 50,000 users, including their names and driver's license numbers.
2. Uber's Response:
Uber informed the Federal Trade Commission (FTC) about the breach. This led the
FTC to launch an investigation into Uber's data security practices, focusing on how the
company handled personal information and protected it from unauthorized access.
3. FTC Investigation:
The investigation by the FTC required Uber to provide extensive details about its security
measures and any other data breaches. This made Uber's data security practices a point
of scrutiny for regulators.

2016 Data Breach

1. What Happened:
In November 2016, hackers managed to breach Uber's systems again. This time, the
breach was much larger:
○ It affected 57 million people, including both passengers and drivers.
○ Hackers stole personal data, including names, phone numbers, email
addresses, and 600,000 driver’s license numbers.
2. How Uber Found Out:
The hackers emailed Joe Sullivan, Uber's Chief Security Officer (CSO), directly,
informing him of the hack. They demanded a ransom to prevent them from publishing
the stolen data.
3. Joe Sullivan's Actions:
 ○ Instead of reporting the breach to the FTC or informing Uber’s management,
Sullivan took steps to hide the breach.
○ He paid the hackers $100,000 in Bitcoin under the guise of a "bug bounty"
payment (a reward for ethical hackers who report vulnerabilities).
○ Sullivan required the hackers to sign non-disclosure agreements (NDAs),
falsely stating that they had not stolen or stored any data. This was a lie, as both
Sullivan and the hackers knew the data had been taken.
4. Concealing the Breach:
○ Sullivan instructed his team to keep the breach secret and not share the
information beyond a small group.
○ He told a subordinate: “This investigation does not exist.”
○ Sullivan did not notify the FTC, even though the agency was already investigating
Uber due to the earlier 2014 breach.
○ Internally, Sullivan misled Uber’s new CEO and legal team by deleting key
details from reports about the breach.
5. Hiding the Hacker Payment:
○ Uber paid the ransom in December 2016, despite not knowing the hackers' real
identities.
○ Later, in January 2017, Uber identified the hackers and made them sign new
NDAs with their real names, but the instructions to keep the breach secret
remained.

The Aftermath

1. 2017 Disclosure:
In late 2017, after a management change, Uber’s new CEO, Dara Khosrowshahi,
uncovered the concealed breach.
○ Uber publicly disclosed the 2016 breach and reported it to the FTC.
○ Khosrowshahi fired Joe Sullivan and another company lawyer involved in hiding
the incident.
2. Legal Actions:
 ○ In 2020, Joe Sullivan was charged with:
■ Obstruction of justice: For failing to inform the FTC about the 2016
breach while they were investigating Uber.
■ Misprision of felony: For actively hiding the breach and failing to report it
to law enforcement.
○ In 2018, Uber paid $148 million to settle legal claims across the U.S. for violating
data breach notification laws.
3. Lessons for Businesses:
○ Transparency: Companies must report data breaches promptly to authorities
and affected users.
○ Accountability: Concealing breaches can result in severe consequences for
both the company and individuals responsible.
○ Reputation Damage: Uber’s reputation took a significant hit, as users and
regulators lost trust in its ability to safeguard personal information.

Why These Issues Matter

● Repeated Breaches: The fact that both breaches (2014 and 2016) were caused by
similar vulnerabilities shows a failure to address known security gaps.
● Poor Leadership: Sullivan’s actions highlight how poor decision-making at the
leadership level can worsen a crisis.
● Legal Complexity: Data breach laws vary widely, making it essential for companies to
carefully navigate their obligations. However, intentional cover-ups, as seen here, are
never justified.

Uber Hack Attack

4. What Happened:
In 2014, hackers broke into Uber's systems and accessed the personal information of
around 50,000 users, including their names and driver's license numbers.
5. Uber's Response:
Uber informed the Federal Trade Commission (FTC) about the breach. This led the
FTC to launch an investigation into Uber's data security practices, focusing on how the
company handled personal information and protected it from unauthorized access.
6. FTC Investigation:
The investigation by the FTC required Uber to provide extensive details about its security
measures and any other data breaches. This made Uber's data security practices a point
of scrutiny for regulators.

2016 Data Breach

6. What Happened:
In November 2016, hackers managed to breach Uber's systems again. This time, the
breach was much larger:
○ It affected 57 million people, including both passengers and drivers.
○ Hackers stole personal data, including names, phone numbers, email
addresses, and 600,000 driver’s license numbers.
7. How Uber Found Out:
The hackers emailed Joe Sullivan, Uber's Chief Security Officer (CSO), directly,
informing him of the hack. They demanded a ransom to prevent them from publishing
the stolen data.
8. Joe Sullivan's Actions:
○ Instead of reporting the breach to the FTC or informing Uber’s management,
Sullivan took steps to hide the breach.
○ He paid the hackers $100,000 in Bitcoin under the guise of a "bug bounty"
payment (a reward for ethical hackers who report vulnerabilities).
 ○ Sullivan required the hackers to sign non-disclosure agreements (NDAs),
falsely stating that they had not stolen or stored any data. This was a lie, as both
Sullivan and the hackers knew the data had been taken.
9. Concealing the Breach:
○ Sullivan instructed his team to keep the breach secret and not share the
information beyond a small group.
○ He told a subordinate: “This investigation does not exist.”
○ Sullivan did not notify the FTC, even though the agency was already investigating
Uber due to the earlier 2014 breach.
○ Internally, Sullivan misled Uber’s new CEO and legal team by deleting key
details from reports about the breach.
10. Hiding the Hacker Payment:
○ Uber paid the ransom in December 2016, despite not knowing the hackers' real
identities.
○ Later, in January 2017, Uber identified the hackers and made them sign new
NDAs with their real names, but the instructions to keep the breach secret
remained.

The Aftermath

4. 2017 Disclosure:
In late 2017, after a management change, Uber’s new CEO, Dara Khosrowshahi,
uncovered the concealed breach.
○ Uber publicly disclosed the 2016 breach and reported it to the FTC.
○ Khosrowshahi fired Joe Sullivan and another company lawyer involved in hiding
the incident.
5. Legal Actions:
○ In 2020, Joe Sullivan was charged with:
■ Obstruction of justice: For failing to inform the FTC about the 2016
breach while they were investigating Uber.
 ■ Misprision of felony: For actively hiding the breach and failing to report it
to law enforcement.
○ In 2018, Uber paid $148 million to settle legal claims across the U.S. for violating
data breach notification laws.
6. Lessons for Businesses:
○ Transparency: Companies must report data breaches promptly to authorities
and affected users.
○ Accountability: Concealing breaches can result in severe consequences for
both the company and individuals responsible.
○ Reputation Damage: Uber’s reputation took a significant hit, as users and
regulators lost trust in its ability to safeguard personal information.

Why These Issues Matter

● Repeated Breaches: The fact that both breaches (2014 and 2016) were caused by
similar vulnerabilities shows a failure to address known security gaps.
● Poor Leadership: Sullivan’s actions highlight how poor decision-making at the
leadership level can worsen a crisis.
● Legal Complexity: Data breach laws vary widely, making it essential for companies to
carefully navigate their obligations. However, intentional cover-ups, as seen here, are
never justified.