Criminal Charges Filed for Cover-Up of 2016 Uber Data Breach featured image

Criminal Charges Filed for Cover-Up of 2016 Uber Data Breach

by John DiGiacomo

Partner

Internet Law

On August 20, 2020, the Department of Justice announced that a criminal complaint was filed against the former Chief Security Officer for Uber Technologies, Inc., related to an alleged concealment of a data breach/hack in 2016. See news report here. The criminal complaint charged the Security Officer with two counts — obstruction of justice and misprision of a felony.

The possibility of criminal charges should highlight, at a personal level, the importance of data security, the necessity of timely disclosure and the requirement of open and willing participation with law enforcement and regulators following a data breach. If your business has suffered a data breach, or even a potential data breach, you must consult with attorneys who have deep experience in data security and breach response. Many state laws require issuance of a notice of a data breach within specified deadlines. The deadlines tend to be short. There are serious civil penalties for failing to disclose a data breach. Now, criminal charges are possible too.

The Uber saga began in mid-2014 when Uber suffered a data breach. That breach resulted in the theft by hackers of names and driver’s license numbers for at least 100,000 Uber customers. See CNBC news report here. The Federal Trade Commission (“FTC”) opened an investigation and found that Uber had seriously deficient cybersecurity software, hardware, and protocols. The FTC also found that Uber allowed its drivers to improperly access and use the personal data of its customers. As the article reports, the FTC stated point-blank that Uber “failed its customers.” Uber and the FTC eventually agreed to enter into a 20-year remediation and data security monitoring plan.

However, without telling the FTC or making any sort of timely disclosure, Uber suffered ANOTHER data breach in October 2016. This new data breach occurred while the FTC was still investigating the 2014 breach. It seems that Uber had done little from May 2014 to October 2016 to improve its cybersecurity. As a result, cybercriminals again hacked Uber. This time, the hackers stole personal information for 600,000 Uber drivers and stole personal information, including names, email addresses, and phone numbers, for 57 million Uber customers.

Not only did Uber fail to timely report and/or disclose the October 2016 hack, Uber negotiated with the hackers and paid the hackers $100,000 to conceal the breach. The 2016 breach was finally made public in November 2017.

The recently-filed criminal charges relate to this cover up and concealment and, more particularly, relate to payment to the hackers to keep the data breach from being made public. Through his attorneys, the former Chief Security Officer has denied the charges.

As noted, the possibility of criminal charges raises the personal stakes for those tasked with responding to a cyberattack and/or data breach. The lessons are clear — disclose, remediate, cooperate, and never attempt a coverup.

If you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100. We have proven experience with these types of legal issues.

Extra, Extra!
Recent Posts

FTC Adopts Final “Click to Cancel Rule”

FTC Adopts Final “Click to Cancel Rule”

Internet Law

The Federal Trade Commission (FTC) has issued final amendments to its trade regulation rule concerning negative option plans, also known as the “click to cancel rule.” This rule aims to address widespread deceptive practices that prohibit customers from cancelling services in the same manner in which they signed up. Here’s a detailed summary of the […]

Read more about FTC Adopts Final “Click to Cancel Rule”

Understanding Product Liability Law for Ecommerce Merchants

Understanding Product Liability Law for Ecommerce Merchants

Internet Law

Introduction Being an ecommerce merchant is hard; you have to keep an eye on your advertising spend, control your inventory, and make sure your customers are happy. Additionally, you also have to navigate a complex landscape of legal responsibilities. One of these areas, which is often overlooked, is product liability. Product liability law holds manufacturers, […]

Read more about Understanding Product Liability Law for Ecommerce Merchants

Understanding the Role of Internet Privacy Attorneys: Key Issues They Handle

Understanding the Role of Internet Privacy Attorneys: Key Issues They Handle

Internet Law

Introduction In our increasingly digital world, the significance of internet privacy is paramount. Internet privacy attorneys are essential in safeguarding the rights of individuals and organizations against various privacy-related challenges. This blog post delves into the key issues these attorneys address. Data Breaches and Cybersecurity Data breaches occur when sensitive information is accessed or disclosed […]

Read more about Understanding the Role of Internet Privacy Attorneys: Key Issues They Handle

Put Revision Legal on your side