FBI Charges Former Uber Chief Security Officer With Obstruction of Justice and Misprision of a Felony
On August 20, 2020, the FBI charged Uber’s former Chief Security Officer (CSO) with
obstruction of justice and misprision of a felony for his role in the attempted cover-up of the 2016 data breach which exposed the personally identifiable information (PII) of 57 million Uber users and drivers.
Uber Chief Security Officer Conceals 20116 Breach from FTC and Executive Management
The FBI complaint alleges the CSO took deliberate steps to conceal, deflect and mislead the Federal Trade Commission (FTC) about this 2016 breach while the FTC was investigating a separate 2014 Uber data breach. The CSO provided sworn testimony to the FTC regarding the 2014 breach days before the hackers contacted the CSO regarding the 2016 breach. Instead of informing the FTC, the CSO took deliberate steps to prevent knowledge of the 2016 breach from reaching the FTC. The CSO instructed his security team that knowledge of this breach was to be disclosed outside the security team only on a need-to-know basis and the organization was going to treat the incident under its bug bounty program. The CSO arranged for the unidentified hackers to get paid $100,000 in Bitcoin during December 2016.
The FBI complaint also notes the CSO deceived Uber’s new management team about the 2016 breach. The CSO failed to provide the executive team with critical details about the 2016 breach, When a new Uber CEO arrived in August 2017, the CSO briefed the new CEO about the 2016 breach via email and presented an altered summary of the 2016 breach to the CEO. The CSO had removed details about the data the hackers had stolen and falsely stated that payment had been made only after the hackers had been identified. By failing to notify law enforcement, these hackers continued to successfully hack other technology companies. During November 2017, Uber disclosed the 2016 data breach publicly, apologizing for the failure to do so promptly, and fired the CSO and a security attorney assigned to his team.
As one can note, concealing a data breach from executive management and cybersecurity regulators has severe consequences which can result in being charged with a federal offense by the FBI.
For Executive Management/Board of Directors, it is imperative to fully understand your enterprise cybersecurity risk management program and cyber’s overall impact to your organization. It is key to establish a positive relationship and robust dialogue with your CIO/CISO/CSO and their security team. This is necessary for full transparency as successful cyber breaches will occur and impact your organization. How these cyber breaches are addressed by your CIO/CISO/CSO is incumbent on the proper execution of your cybersecurity governance responsibilities. If you do not have a foundational understanding of the various facets of cybersecurity, request the services and assistance of external cybersecurity advisors.
As for the CIO/CISO/CSO, address all cyber incidents in a professional manner by effectively responding and recovering from the incident and resuming normal operations. Remember to contact law enforcement as per your organization’s policies and procedures to assist in preventing other organizations from becoming future cyber breach victims. Ensure a transparent and robust dialogue with executive management and the board and ensure they understand the various aspects of cyber’s impact to the organization. If this is a challenge and exceeds your training capabilities, request the services and assistance of external cybersecurity advisors to assist in this leadership endeavor. And finally, do not hide or cover up a data breach as today’s consequences can be severe and last a lifetime.