What Happened to UBER?! Story of Trust Broken.

Show Notes

This episode explores the rise and controversies of Uber, including its inception, expansion, rebranding, leadership changes, autonomous vehicle program, protests, toxic culture, and legal troubles. It also delves into the significance of a major data breach, the trial of Joe Sullivan, Uber's former chief security officer, and recent fines assessed against the company. 

Chapters

• 00:00 Introduction: Uber's Data Breaches
• 02:22 The Importance of Data Protection
• 04:21 The Wake-Up Call for Companies
• 05:44 The Damage to Uber's Reputation
• 06:14 The Story of Uber: From Founding to Data Breaches
• 31:51 The Trial of Uber's Chief Security Officer
• 34:41 Criminal Charges and the Responsibilities of Internal IT Leaders
• 45:09 The Uber Data Breach: Lessons in Security and Trust
• 52:00 An 18-Year-Old Hacker's Access to Uber's Systems
• 01:07:30 Implications for the Industry: Reevaluating Roles and Liability

Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com  
 

Support the show

🔥New Special Offers! 🔥

1. Remove Your Private Data Online Risk Free Today. Try Optery Risk Free. Protect your privacy and remove your data from data brokers and more.
   🔥No risk.🔥Sign up here https://get.optery.com/DMauro-CyberCrimeJunkies
2. 🔥Want to Try AI Translation, Audio Reader & Voice Cloning? Try Eleven Labs Today 🔥 Want Translator, Audio Reader or prefer a Custom AI Agent for your organization? Highest quality we found anywhere. You can try ELEVAN LABS here risk free: https://try.elevenlabs.io/gla58o32c6hq

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Dive Deeper:
🔗 Website: https://cybercrimejunkies.com

Engage with us on Socials:

✅ LinkedIn: https://www.linkedin.com/in/daviddmauro/
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Chapters

• 0:00: The Birth of UBER
• 2:20: The Importance of Data Protection
• 4:20: The Wake-Up Call for Companies
• 5:50: The Damage to Uber's Reputation
• 6:26: The Story of Uber: From Founding to Data Breaches
• 25:12: The Trial of Uber's Chief Security Officer
• 35:07: Criminal Charges and the Responsibilities of Internal IT Leaders
• 45:31: The Uber Data Breach: Lessons in Security and Trust
• 51:56: An 18-Year-Old Hacker's Access to Uber's Systems
• 1:03:21: Implications for the Industry: Reevaluating Roles and Liability

Transcript

Summary

Uber, a global giant in the transportation industry, has been hit with several severe data breaches between 2018 and 2021. The Dutch data protection authority recently fined Uber $324 million for poor handling of driver data breaches. This incident highlights the importance of data protection and the potential consequences for companies that fail to prioritize it. The story of Uber's founding, its repeated data breaches, and the trial of its internal chief security officer will be explored in this episode. The conversation discusses the criminal charges faced by Joe Sullivan, the former CIO of Uber, for his role in concealing a data breach. It explores the implications of these charges for internal IT leaders and the broader industry. The conversation also delves into the details of a recent cybersecurity incident at Uber, where an 18-year-old hacker gained access to the company's systems and posted screenshots of sensitive information. The discussion highlights the importance of strong security measures and the potential consequences of failing to protect data.

Takeaways

• Uber's poor handling of driver data breaches resulted in a $324 million fine from the Dutch data protection authority.
• The incident serves as a wake-up call for companies to prioritize data protection and take it more seriously.
• The story of Uber's founding, its repeated data breaches, and the trial of its internal chief security officer will be explored in this episode.
• Data breaches can have significant consequences for a company's reputation and the trust of its customers. Internal IT leaders may face criminal charges for mishandling data breaches, raising questions about their responsibilities and potential personal liability.
• The case against Joe Sullivan, the former CIO of Uber, highlights the importance of complying with breach reporting requirements and not engaging in cover-ups.
• The cybersecurity incident at Uber, where an 18-year-old hacker gained access to sensitive information, underscores the need for strong security measures and vulnerability testing.
• The case and incident have significant implications for the industry, with security leaders reevaluating their roles and potential personal liability.

Chapters

• 00:00 Introduction: Uber's Data Breaches
• 02:22 The Importance of Data Protection
• 04:21 The Wake-Up Call for Companies
• 05:44 The Damage to Uber's Reputation
• 06:14 The Story of Uber: From Founding to Data Breaches
• 31:51 The Trial of Uber's Chief Security Officer
• 34:41 Criminal Charges and the Responsibilities of Internal IT Leaders
• 45:09 The Uber Data Breach: Lessons in Security and Trust
• 52:00 An 18-Year-Old Hacker's Access to Uber's Systems
• 01:07:30 Implications for the Industry: Reevaluating Roles and Liability

Dino Mauro (00:02.932)
Imagine this, you're an Uber driver or a passenger and hop in an Uber while in the Netherlands, going about your daily hustle unaware that your personal information is actually at risk. As a driver, you trust your employer, a global giant like Uber has your back. As a passenger, you trust the pay card information, your location, how long you were visiting where you were at, who lives

at the locations you were visiting all remains private or at least inside the Uber app. But you might be wrong. One day the unthinkable happens, your personal details, data about your earnings, your car, even your driver's license fall into the wrong hands. This isn't just a hypothetical scenario. It's exactly what happened between 2018 and 2021 Uber.

a company that many of us rely on for convenient rides and quick getaways was hit with several ongoing severe data breaches. Hackers managed to get their hands on sensitive information about drivers, about passengers. And while Uber's name has often been associated with cutting edge tech and the story of its founding is fascinating. And we're going to tell you from beginning to the current state in just a second.

It's Uber is synonymous with innovation and it's been splashed across the headlines so many times for failing to protect its most valuable assets. Us. So fast forward to today, the Dutch data protection authority, the DPA over the Netherlands this week.

just dropped a bombshell a $324 million fine on Uber. The reason Uber's poor handling of driver data breaches the Dutch data protection watchdog slapped. It's a $290 million euro which is in today's translation 324 million us find them this past Monday.

Dino Mauro (02:22.062)
for allegedly transferring personal details of European drivers to the United States without adequate protection. Well, you may be thinking who cares? Like who cares if they transfer data from the UK to the US? Well, apparently the world cares. Plus, as we've pointed out numerous times with global CISOs on this podcast, the United Kingdom and Europe in general values

privacy and personal privacy is a fundamental human right. Unlike us here in the United States, where we tick tock everything and show our family online and show everybody where we live, what we do, you know, etc. So and the legal basis is this, the alleged breach came after the the EU's top court ruled in 2020, that an agreement known as the privacy shield that allowed thousands of companies from

tech giants to small financial firms to transfer data to the US was invalid, because the United because the US government the American government could snoop on people's data. Great to think about, isn't it? Monday's announcement is also not the first time the Dutch data protection watchdog has find Uber. Just earlier this year in January, the agency find Uber 10 million euros

over what it said was the company's failure to disclose how long it retained data from drivers in Europe or to name non EU countries it shared its data with. Uber calls this decision, not the one in January, the one this week, flawed and unjustified and says that it will appeal. Time will tell and we will keep you posted. The Dutch Data Protection Authority said the data transfers spanning more than two years.

amounted to a serious breach of the EU's GDPR, General Data Protection Regulation, which requires technical and organizational measures aimed at protecting personal user data. But here's the kicker. It's not just about the money. This is a wake up call for all of us. If a tech titan like Uber can get hit like this, what does it mean for all of us? Uber's mistake wasn't just the breach itself.

Dino Mauro (04:48.982)
The company failed to report the breach on time, leaving drivers vulnerable and in the dark. The Dutch watchdog didn't mince words. Uber had a legal duty under GDPR to protect this data and it fell short. For drivers and passengers, it's a chilling reminder of how their personal information, names, address, earnings can be compromised without us being told about

The DPA's ruling isn't just a slap on the wrist either. It's a loud echoing message that shines beyond the Netherlands. Companies need to take data protection more seriously or face the consequences. Uber, this fine is a financial blow, but the real damage might be to its ongoing reputation and the trust that keeps getting pummeled.

for its drivers and its riders. So next time we hop in an Uber, remember, the world is watching how companies like this handle our data. It's a high stakes game where players can't afford to keep dropping the ball. So this is the story we're going to walk you through the founding of Uber, how it all started, how it dealt with repeated data breaches.

how a an alleged cover up and then the trial of their internal the prosecution of their internal chief security officer unfolded where they are today. This is a story of what happened to Uber and how Uber broke trust.

Dino Mauro (06:41.558)
Join us as we go behind the scenes of today's most notorious cybercrime. Every time we get online, we enter their world. So we provide true storytelling to raise awareness, interviewing global leaders, making an impact and improving our world, translating cybersecurity into everyday language that's practical and easy to understand. We appreciate you making this an award winning podcast by downloading our episodes on

Apple and Spotify and subscribing to our YouTube channel. This is Cybercrime Junkies and now the show.

Dino Mauro (07:32.398)
This story begins where all great ones begin. On a rainy warm night in Paris, inception of the Silicon Valley tech startup, one which the world has never seen before or since. It changed the world as we know it, despite its explosive growth, the many scandals, and the fact that it was illegal in many parts of the world and cities where it would first open up.

Uber has arguably disrupted the transportation industry globally, a first of its kind. It also has a cyber crime story built into it and an historical landmark legal case where the tech company's own head of cybersecurity, Joseph Sullivan, a former federal prosecutor himself, would wind up being indicted by a federal grand jury taken to trial.

and found guilty. We walk you through it all from start to finish. This is the story of what happened at Uber and how cybersecurity leaders can be liable. Dave's story got more interesting the more we dove into it. David, why don't you walk us through it? So let's rewind back to 2008. Two friends, Travis Kalanick and Garrett Camp, were attending Le Webb in Paris, France.

The Web is an annual tech conference. It's been described like in The Economist as where revolutionaries gather to plot the future. Back in 2007, both of them had sold startups and so they had a lot of cash reserves. They had co -founded both of them. Kalanick had sold Red Swoosh to Akamai Technologies for 19 million and Camp had sold StumbleUpon.

which if you remember that back in the day, he'd sold that to eBay for 75 million. So rumor has it that the concept for Uber was born like at night during a conference when the two of them couldn't get a cab. Initially, the idea was for a timeshare limo service that could be ordered by a mobile app. And after the conference, the entrepreneurs went their separate ways. But when Camp got back to San Francisco, he continued to be fixated on that idea.

Dino Mauro (09:56.608)
and then even bought the domain ubercab .com. Interesting. The concept was innovative. Order a custom ride from a simple phone app with a push of a button through GPS coordinates, be able to see where the car is, information on the driver, and have it pop up anywhere you are without having to hail a traditional cab, which could be hit or miss based on many factors.

all at a cost which, while slightly more than a traditional cab, was automatically charged with tip, etc. through the app to your credit card. In June 2010, UberCab, launched in San Francisco, quickly became a huge hit among Bay Area techies. Here's even a screenshot of the original app. Podcast listeners can see it on our site or in the notes. That is so cool. UberCab was often running.

They closed a $1 .25 million seed funding round from First Round Capital with investors Jason Galcinis, Kellinick's friend Chris Sacca, and Napster co -founder Sean Fanning. Then in October 2010, UberCab rebranded itself. It became known as we know it now, Uber. So the reason this matters is because they changed the name to avoid the company

Marketing itself too much like a taxi business see tensions were high with the taxi industry every location a company went into This would be a recurring theme over the next decade. There were protests there were government interventions that were lawsuits the taxi industry the unions the local ordinances the the state and

laws and regulations all had to be navigated for Uber to expand and they did. -huh. So what happened next? So right after they rebranded the first of many leadership upheavals happened. Later that same year Ryan Graves, who was Uber's first CEO, he stepped out. By the next year they had launched in New York City, their largest market to date and

Dino Mauro (12:15.506)
expanded internationally all the same year. They started, of course, where it all began in Paris, France. And it wasn't without controversy. They soon received strong pushback from lobbyists, the taxi industry, politicians, every single place they went. Consequently, the Uber business model became the form, right? The aggressive approach that they had to take started to have

Framework around it. It started to become a model when they would find a new location. They wanted to enter They had to figure out how are they going to anticipate the objections? They're gonna see how are they gonna overcome even before it started so that they can become proactive strategy imperfected Essentially before launching into a new city or country they would spy other market data information on the unions taxi groups political power

influence local laws and regulations, how to battle them, including monitoring and engaging lobbyists, politicians, and power brokers. They continued that approach, dealing with the PR challenges, all while perfecting their model and their technology. In 2014, taxi drivers in London, Berlin, Paris, and Madrid staged a massive large -scale protest against Uber.

Taxi companies have been claiming that Uber avoids paying expensive license fees and bypasses local laws, which creates unfair competition. That's insane. Then what happened? Well, what sets the Uber story apart from others is that all of this was happening at the same time. You've got the riots and political upheaval. You've got internal culture issues, massive lawsuits. You've got

Union issues and lawsuits from their own drivers wanting to be deemed employees so that they can get benefits, et cetera. And meanwhile, Uber at the same time is seeing their vision and the future through their technology in autonomous driving. So by 2015, Uber announced a partnership with Carnegie Mellon University to create a new facility in Pittsburgh for testing self -

Dino Mauro (14:38.872)
driving cars. Guys remember this? The first test vehicles out of Uber's Advanced Technologies Center are seen on the streets of Pittsburgh just a few months later. But even that was fraught with controversy. And we'll get to that in just a second. That same year, at the same time as all this, they also launch Uber Eats.

Right? The on -demand food delivery service that brings meals to your location no matter where you are in minutes. The service starts in four pilot cities, Los Angeles, Barcelona, Spain, New York, and Chicago. And it expanded internationally. Of all their initiatives, many of which had fits and starts and never really lasted, there's a whole bunch of them we're not getting into, but Uber Eats was successful and it remains a stronghold of theirs even to this day.

Again, that same year, 2015, while those violent protests are erupting across France as taxi drivers and their supporters block roads, burn tires, and attack suspected Uber drivers. Uber also finds itself in a struggle with other lawsuits involving death and injuries to those getting Uber wrapped.

And so what was called into question at the time was their hiring practices, their background checks, things like that. And just a couple months later in February 2016, Uber had to pay $28 .5 million to 25 million riders to settle a class action lawsuit surrounding its advertisements. After the settlement, was barred.

from using the terms quote, industry leading unquote or quote, best in class unquote when referencing its drivers checks. Why? Well, we'll get into that in just a second. By July of 2016, Uber announced that it had just completed its two billionth trip, which is amazing for a startup that's outstanding, but what's even more shocking

Dino Mauro (17:00.142)
is that was only six months after it reached its one billionth trip. So in six months, it had completed billion trips. Soon though, the drama continued to plague Uber. And they found drama once again in July of 2016 when a federal judge ordered that Uber, quote, engaged in fraudulent and arguably criminal conduct, unquote, when it used an investigative firm.

conduct a background check on a plaintiff in a lawsuit. The plaintiff accused Allanac, CEO of time, of violating antitrust laws by coordinating surge pricing, like price gouging, essentially is what was alleged. But at the same time, like I mentioned before, Uber was setting its sights higher and higher tech and more advanced tech, namely autonomous vehicles.

This was their future in their strategic planning, it seems. It would be the nail in the coffin of their competitors and the taxi industry and would solve the issues they faced by all the lawsuits brought by Uber drivers who were claiming to be employees rather than mere contractors without benefits or of employment status. All that could go away with automated vehicles. So that issue

The issue of whether Uber drivers continue to be deemed employees versus independent contractors, that continues to be litigated today in 2022. Different courts throughout the United States are addressing it. So with their eyes set on autonomous vehicles, in 2016 Uber launches an autonomous car program in San Francisco. No sooner though that they do that, once again, drama finds Uber and California's

Department of Motor Vehicles quickly declares the program illegal and Uber was forced to end it and look to other locations for testing its driverless cars. Another challenge that happened was in January 2017, guys will probably remember this, President Trump at the time announced a travel ban to several majority Muslim countries. In response,

Dino Mauro (19:23.182)
swarmed the New York City airport with taxi drivers striking in support. However, Uber continued to operate, leading to a huge backlash as hundreds of thousands of customers took part in the viral hashtag delete Uber campaign. And you remember the lawsuit settlement mentioned earlier? Well, they were plagued by litigation. In February 2017, a former Uber engineer named Susan Fowler

published a blog post with allegations of a toxic and sexist culture at the company. Alanek, the CEO at the time, who was dogged by all of this drama that seemingly appeared to be surrounding him, pledged to look into the matter and hired former US Attorney General Eric Holder to lead an independent investigation into the company's culture.

In February that year, Fowler's story is followed by a New York Times report about Uber's aggressive, unrestrained workplace culture. The story alleges that Uber employees did cocaine during company retreats, that a manager was fired after he was accused of groping multiple female employees, and it goes on and on. And who can forget the infamous Super Bowl video of February 2017? When on Super Bowl Sunday, dash cam video caught Kalanick

losing his cool in an argument with an Uber driver about lowered fares. He went off on him, and it was extremely unprofessional and embarrassing for the CEO. Kalanick soon issued a profound apology and said he'll seek out leadership help by hiring a chief operating officer at the company. Following month, even more drama follows Kalanick when in March 2017, his ex -girlfriend

Violinist Gabby Halsworth details incidents of sexism she witnessed while she was at Uber. One story she tells is about a visit by several Uber executives to an escort karaoke bar in South Korea, which allegedly culminates in formal proceedings filed by a female Uber executive who filed a complaint. June of that year, the results of the internal investigation into Uber's workplace culture

Dino Mauro (21:45.614)
are released to the board. The investigation doesn't sound good. It finds 215 claims from employees of discrimination and sexual harassment. And the company says that over 20 employees were fired following that report. That same month, Onik, CEO at the time, the founder from Paris, who conjured up the idea,

is essentially forced to leave. He takes a leave of absence from Uber to quote, work on myself unquote, after a year longer than a year riddled with scandal and controversy. No timeline was given. Simultaneously, Uber was being sued by Google, Alphabet actually, on behalf of their system Waymo, claiming that a former employee of theirs stole secrets relating to self -driving technology.

The case was settled in early 2018. In addition to that, New York Times revealed that Uber has used a feature that would allow it to operate in areas where it was illegal, resulting in a criminal investigation. So after that shareholder revolt in June of 2017, Onnick formally resigns. And after a little more than two months, it was announced that Dara, Dara,

Khajur Shani, who was then the CEO of Expedia, took over. At the same time, or right around just a month or two later, it was kind of a surprise move. Kalanick exercised his control over the last two Uber board seats that still lasted under his control, and he appointed Xerox chairwoman Ursula Burns and former Merrill Lynch CEO John Thain. The move seems to be designed to get ahead of the proposed changes to the board structure.

that would have otherwise wiped out Kalanick's power completely at Uber. That move though, poisons the feeling on the board and among leadership against Kalanick, and it seems to have backflared. And then it happened. In November 2017, the massive data breach occurred that changed the world. And before we get into the breach, let's just finalize our

Dino Mauro (24:09.934)
talk on the autonomous vehicle initiative since Uber was one of the pioneers in driving cars as they saw it as their future. So in January 2018, Uber officially closed a deal for Japanese investor SoftBank to take 15 % stake in the company. The deal severely limited Kellyn -Lynx influence and voting power on the board. But then in March 2018, Uber self -driving car struck and killed a 49 -year -old

pedestrian named Elaine Herzberg while in Arizona. It's the first recorded pedestrian death involving an autonomous car in history. briefly paused its self -driving program at the time as a result of the death, and Arizona suspended their test program. In August 2018, Toyota invested heavily, over $500 million in Uber, valuing the company at the time at $72 billion.

dollars. And then shortly thereafter Uber went public. It was the, at the time when it went public, it was the highest valued private company in history. Extremely impressive for two guys who couldn't get a cab a few years earlier at a tech conference. So now let's address the breach. The breach is significant for two main reasons. The massiveness of the breach itself and the significance it has.

today in 2022 to the world of attorneys, in -house counsel, CIOs and business owners on the results of how to handle a data breach. David, tell us about what we found. So here's what happened. Sullivan served as Uber's chief security officer from April 15 through November 2017. During that time, he helped the company

respond to a Federal Trade Commission, FTC, investigation of an earlier data breach the firm experienced back in 2014. He was familiar intimately with the process for investigating breaches, because he's held security leadership roles in various highly recognized brands. And he even provided sworn testimony to the FTC about Uber's earlier data breach and Uber's

Dino Mauro (26:35.47)
security practices. But in November 2016, just 10 days after providing that testimony for the prior breach, there's a complaint filed by the US attorneys that alleges that Sullivan learned about the subsequent, the second breach involving millions of users, but allegedly promptly began to cover it up. Seriously? Well, here's how it's

been reported to have happened. November 14th, 2016, Sullivan, chief security officer, receives an email from John Doe's D -O -U -G -H -S at protonmail .com. Funny, right? And it claims that there's a major vulnerability. And they look into it and they say that they've accessed a database of customer information and they've been able to dump a bunch of the data, know, data dump.

means like a transfer of large quantity of information. So Sullivan and his team go and they investigated right away they find that they had indeed accessed the database of driver's license numbers, confidential information, a lot of stuff that if this got out, it would be really, really bad for the brand of Uber. They found immediately that they had all this information on over 600 ,000 Uber

drivers and custom and private information of customers. And then what's worse is they found that they had kind of done the breach essentially the same way as it happened the first time. The first breach. They sent an email, the hackers had sent an email from that John Doza account from stolen credentials, right? And it found that they had accessed Uber source code on GitHub. And within that code, they were able to get

the cloud information, the Amazon Web Services credentials that they could use to access the company's Amazon databases. So what is at issue is in his testimony to the FCC at the beginning of the hearing November 4th, 2016, Sullivan had highlighted the importance of key management and not hard coding access credentials into that source.

Dino Mauro (29:02.41)
as an important part of an overall security program for the company. The reason that matters is that all of this winds up leading to the exposure of this data and extremely sensitive information. Yeah, and our research found all these reports on this tracker document that basically laid out the timeline. And it illustrates...

allegations of the secrecy and how with all of the initiatives they had going on, all of the scandals, all of the lawsuits, all of the bad press, they really, really wanted to keep this second data breach as quiet, right? And there's a statement in there in this report on the tracker document that said, what is our position to the company to talk about what we're doing?

And their position was going to be we had a data breach back in 2014. We learned our lesson and we need to get our house in order. The investigation does not exist. We're doing this in order to protect our information. And then the complaint brought by the US attorneys alleges that ultimately Joe Sullivan's decision was to handle the incident, the second breach 2016 under the company's bug bounty.

program, choosing to pay off the hackers with $100 ,000 in Bitcoin, meaning rather than disclosing the breach, working and being transparent with the FTC, they kept it silent, even though they were already testifying in front of the FTC on the prior breach. And to pay the criminal hackers $100 ,000 each,

basically to keep them quiet as it's alleged. And what they did is they sought to have the hackers sign non -disclosure agreements in exchange for the $100 ,000. And in fact, they did. But then they found that the hackers had used fake names, shocking. And then they had to reach out to them and get them to sign under their actual names after they had done

Dino Mauro (31:23.296)
additional investigation. But what happened is by then the FTC had found out and then the feds got involved and there was the change in leadership away from Kalanick and the new leader, the new CEO said we would never have handled it this way and his clean shop and in addition terminated Sullivan. That's insane.

Well, how it played out is the non -disclosure agreement that they had had the hacker sign essentially said that you promise you're not going to take or store any of the data from your research that you've delivered to us or forensically destroy the information and that you would never disclose it to public. But what happened is the hackers at convention, they initially signed the document using pseudo names.

Later on in January 2017, after Uber had paid them that $100 ,000 each in Bitcoin, Uber's security team identified the two hackers' actual identities. They followed up with them to sign the same non -disclosure agreement. But both men who did the breach and received the payment, they pled guilty.

to trying to extract these bounties from both Uber and they'd done the same thing in LinkedIn, allegedly, through LinkedIn's data breach. So when in August 2017, the new CEO, Dera Kazhashayi, begins, he starts to get involved and learn of all this. And then what's alleged here is that Joe Sullivan at the time initially lied to his new boss about the breach.

His staff had drafted a summary of the breach and stated that everything was contained, that all writer and driver data would not be disclosed and wasn't excess or exfiltrated by the hackers. It's insane because the legend, the federal claims against Joe Sullivan, it's saying that when he initially wrote that summary or his team wrote the summary, then Joe Sullivan went in and deleted the part about the hackers actually taking

Dino Mauro (33:43.694)
the data, right? So the new CEO didn't know that the hackers had actually accessed the confidential information and also incorrectly said as alleged that the $100 ,000 that had been paid to the hacker was only paid after they actually had their real names, which obviously wasn't correct. So right around the same time in November 2017, the company finally disclosed the second data breach to the FTC.

And apparently they go live it, right? And at the same time, the new CEO finds out about all this and terminate Sullivan. Sullivan was subsequently indicted and then recently was had supplemental additional indictments against him for for wire for as well. Sullivan currently faces eight to 10 years in federal prison if convicted of all the charges. And the magnitude here is really significant.

I mean, these are serious allegations and raise a lot of questions about whether an internal CIO or security leader or IT leader should ever really face criminal charges for the way that they handle a data branch. They have, you know, dual missions that they're trying to run, one to protect the organization's brand and two to comply with law enforcement. It also raises a lot of questions for about whether

and when to engage law enforcement. And this is being watched by a lot of people. In 2018, we agreed to pay $148 million to settle claims around that 2016 data breach. That's just in the civil part, right? And in the law enforcement fines and things like that.

affected, it wound up affecting not 600 ,000 Uber drivers, not just that it actually wound up affecting 57 million users, 57 million customers and users across the world. That is what the data breach affected. And the lawsuit involved attorney generals from every single US state.

Dino Mauro (36:07.918)
Yeah, the feds are not playing around. Most recently on June 28th, 2022, federal judge dismissed Joe Sullivan and his counsel's attempt to dismiss the case that was brought against him. And he said, nope, you are going to trial on wire fraud charges over his role in the allegations involving this data breach that involved 57 million passengers. The U .S. Department of Justice

In December of 2021, added three new charges against Joseph Sullivan to the earlier indictment. They're saying that he arranged to pay money to the two hackers in exchange for their silence while trying to conceal the hacking from passengers, customers, drivers, the not employees, but the people that are driving the Uber cars and FTC, the US Federal Trade Commission. So in 2018, we're

agreed to pay $148 million to settle claims around that 2016 data breach. That's just in the civil part, right? And in the law enforcement fines and things like that, it wound up affecting not 600 ,000 Uber drivers, not just that, it actually wound up affecting 57 million users, 57 million.

customers and users across the world. That is what the data breach affected and the lawsuit involved attorney generals from every single US state. Seriously? Whoa. Yeah, the feds are not playing around. Most recently on June 28th, 2022, federal judge dismissed Joe Sullivan and his counsel's attempt to dismiss

the case that was brought against him. And he said, nope, you are going to trial on wire fraud charges over his role in the allegations involving this data breach that involved 57 million passengers. The US Department of Justice in December of 2021, just seven, eight months ago, added three new charges against Joseph Sullivan to the earlier indictment.

Dino Mauro (38:33.518)
They're saying that he arranged to pay money to the two hackers in exchange for their silence while trying to conceal the hacking from passengers, not employees, but the people that are driving the Uber cars and the FTC, the US Federal Trade Commission. So what happens then is you have to remember Kalanick is still the CEO back at this point. And there's some communications between Kalanick and Joe Sullivan.

that mentioned there's evidence of a text on November 15, 2016 where Sullivan allegedly texted Kalanick saying, quote, I have something sensitive I'd like to update you on if you have a minute. And then the two had a series of phone and FaceTime conversations. The key is that it's those two that were, or allegedly clearly aware of the stolen driver's license information and the other private information.

by the hackers. What makes this bad is there isn't any individual specific act that is so detrimental. But when you look at the totality of the circumstances and the fact that he was already attesting to the FTC about the prior breach and then there were internal lies and then there was clearly payment made to hush the hackers up. But they

categorized it as a bug bounty program. Like all of these things together all lead to a really challenging method of dealing with a data breach and one which is really looking like it could go south for Joe Sullivan. But you know it's in the hands of a jury and a judge and we're gonna see what happens in the next couple months.

You know, there are clear rules about what you have to do when you have to engage law enforcement and we have to follow those. And yeah, he lost his job at Uber, but he promptly found another one less than a year later, CloudFair, and he had had numerous jobs at other big brands as well. These charges though, against an internal IT leader, really, they could result in really bolstering statutory breach reporting requirements.

Dino Mauro (40:53.806)
I mean, they absolutely send a really powerful message about covering up data breaches. it's a, the breach itself can be bad, but this is far worse in how it's handled. U .S. District Judge William Orrick in San Francisco rejected Sullivan's motion to dismiss and said he has to face the jury, which is coming up for trial in a few months here in 2022. rejected Sullivan's claim.

who made the argument that he was only deceiving Kalanick and their lawyers, not the drivers. But the judge ruled, quote, those purported misrepresentations, though not made directly to Uber drivers, were part of a larger scheme to defraud them, unquote. At least according to the indictment. So the judge ruled that that needs to go. It's a question of fact. The jury has to decide that.

You recall the defendant was originally indicted back in September 2020 and now faces these additional allegations, including the wire fraud charges that were brought this past December. Why this matters is because this is the first time in history that a corporate information IT security officer is criminally charged with concealing a hacking. It stems into

what you're supposed to do and what you cannot do. One of the challenges, there's not a lot of rules. There's no clear rule per state or per country even that says when this happened you must do this, when this happened you must do this. So one of the reasons a lot of people think this is a bad idea to punish internal IT executives too harshly for this, right? Maybe do something but maybe not the maximum sentence is because there's four

clarity in terms of how companies are required to protect sensitive information. We all know everybody should, but when things go south, there's no specific rule set that everybody knows about what you need to do in every single situation. But the counter argument to that is this, and that is there are clear rules.

Dino Mauro (43:16.418)
very clear about when you're supposed to report data breaches. There's codes, there's codified breach notification laws, depending on the compliance matter that you deal with. And here he was dealing with the FTC already and was already attesting by oath on this. And this is why legal experts

cybersecurity insurance experts, CIOs from across the world are watching this case. This is why it is the data breach that changed the world, because everybody is looking at what are the rules and what are the ramifications for not complying with those rules when engaging law enforcement. It's going to have legal ramifications. It's going to have a massive ripple effect in the industry, not just in security.

Especially security, but not just in all business, right? Like being held that accountable for something like this. So let's begin with the latest data breach for those. tell us what did you find? Well, for those who have listened to our podcast in the past, you will be aware that we had a prior episode on the Uber data breach from 2016 and what led to these charges involving Joe Sullivan. And the latest news broke last Thursday, just a few days ago.

And employees at Uber, scrolled into work, they got to work, they got online, Uber corporate, right? They're doing their work day and they use a lot of apps just like all of us do. And they communicate. Some people use Skype, lots of people use Slack, right? And it's their communication channel. They use it on their phone, they use it on their desktop. And while communicating between team members, right? Via their internal Slack channel, unexpectedly,

And without any awareness, there was a hacker inside and a hacker announced on the Uber's internal Slack channel that he had completely accessed all of their systems and that he was upset about the way Uber had been treating their drivers. Right. Now, little precursor, little legal disclaimer. Everything in this podcast is alleged. OK, I wasn't there.

Dino Mauro (45:39.574)
You weren't there. Nope. No, we're basing this on screenshots that the alleged hacker has posted on Twitter, Telegram and other channels with other people in the hacking community. Because apparently this breach, like several others that we've talked about, Mark. Guess who this hacker was? Was he a state actor? Was he was in North Korea like we talked about in the Sony episode?

No, I wouldn't. I wouldn't lean that direction. I would think this sounds more personal. Yeah, this is an 18 year old allegedly. What? This is an 18 year old. Yeah, it almost reminded me of like Baby Al Capone and Ellis Pinsky that we just talked about. Yep. It is like another Baby Al Capone. Yeah, this is this is a and check out what he does. So as Uber says, well, we've we've turned off the internal Slack channel and

We've we you know, it's it's nothing's really been breached. There hasn't been that much access, etc. Well, what does he do? He starts posting he's talking to other hackers in the community and he starts posting screenshots all of which will show in the video for this episode But he posts the screenshots where he's talking to other people in the security field and other hackers where he's like and they're like Are you the guy who's yet? Check this out. Boom. Here's all their financials boom

Here's all their expense reports. Wow. Here's their Amazon cloud access. So let me get to how that happened. So here's what we're going to talk about real quick. We're going talk about what we know about the status of it. We're going to talk about how the hacker allegedly got in. What happened after. We'll touch a little bit about how this could have been prevented. Just in a sense, we're not going to sit here and go, well, if they had our services or if they had this type of service, none of this would happen. nobody. No, no.

Nobody knows, and that's not the purpose of this podcast. But the truth is, is it raises a couple of questions. Like, I thought they had this service, like I thought they had this, you know, awareness in place. How did he get around that? That's what's more interesting here. And then we're going to update you on the trial of Joseph Sullivan going on right now in a California courtroom. So, generally a breach by one person should not be the end of a company that large. shouldn't.

Dino Mauro (48:07.522)
be able to access so much stuff, right? What happened was, and it was kind of ironic, where it almost came down to the audacity of a teenager versus some... Right, that's what it sounds like. Right? And the employee basically just wanted his notifications to stop. So let me tell you what happened. And as we get through it, you can almost hear like the face palms from the security team about...

how this happened. So Uber confirmed Thursday that it was responding to a cybersecurity incident. And after various reports on social media and things like that, and again, and this gets into what you and I always talk about, about Uber found out about this when the hacker decided to tell them he was in. Right. What are the stats though? It's like 80 % of CSOs or chief, any security intelligence officer for an organization, 80 % of them find out.

not because of self discovery. Right. It's from the media, it's from social media, or it's from law enforcement. And we're going to have a couple of FBI agents, former and current, on this podcast that are coming up in the next couple of weeks. They're already scheduled and we've already talked to them. And they will be able to explain. Most of these business owners and security teams did not know that they had been breached until we came knocking on the door. Right. And it's really, really shocking. Anyway.

So what happened was the first media announcement that where it became public was in the New York Times on Thursday. several of the internal communications and engineering systems had been taken offline by Uber in light of it while they investigated the incident. Okay. They stayed. made Uber set in a statement to TechCrunch that it's investigating the cybersecurity incident and that it was in contact with law enforcement, but they declined to answer any questions. So.

Here's what we know about the status. And this is all gathered and we're going to show the screenshots and cite all the resources. But believe it or not, I mean, it's so ridiculous that we learned about this. We're gathering all this information from Twitter of all places, Telegram, encrypted private app, hacker forums, New York Times, routers, Bloomberg, Fox and CNN for both sides of the political table.

Dino Mauro (50:33.838)
And then even more germane from wired and specific YouTube channels of people that were involved and spoke with the actual alleged hacker. So what happened was there seems to be a sole hacker behind the breach, 18 years old. Uber in an update said there's no evidence that users' private information was compromised. OK? We have no evidence that this is what they're quoted as saying.

Quote, we have no evidence that the incident involved access to sensitive user data like trip history, unquote. And then they said, quote, all of our services, including Uber, Uber Eats, Uber Freight, and Uber Driver app are operational, unquote. A lot of people took issue with this for reasons we'll get into, but a lot of their access, almost every aspect of their organization was visible. So, you know, here's what...

You know, back in 2016, had, I mean, they had to pay hundreds of millions. Remember they had to pay a lot of money for fines and the way that they handle it. part of the reason why Joe Sullivan, if you want the details of that prior breach, go listen to other episode. Right, right. All the details are in that episode. Everything. So, but despite what Uber is claiming here, the hacker was openly communicating with many people in the security and hacker community.

and posting screenshots along the way. So on the one hand, Uber says, no big deal. And on the other hand, the hacker openly shows screenshots of Uber's complete financials, employee information. actually, when he posted the screenshots, he actually had people's names up in the upper right -hand corner who were the people that he had compromised. So one guy's name there is like Philip Lee, and I'd hate to be him today, but it looks like this guy got in under.

his access and he's going to see all the screens that he's got access to. Here's basically what happened. That's about as bad as it gets. Well, here's what happened. So he got I'm just going to walk you through. not going to read all the reports because it was it's a lot. But here's basically what happened. The 18 year old gets the credentials, the login name, like the email and the password for an Uber employee. Step one.

Dino Mauro (52:58.166)
Right? He got that. How he got that? He could have got that from a phishing email. He could have got that from social engineering. Frankly, he could have bought it. Yeah. Passwords. There's a whole bunch of ways he could have done it. Frankly, he could have bought it on the dark web or frankly, guest. Right? Like he could have just used a packer software, a password cracking software, or frankly, just thought about it and guessed. It's not too hard. Right? Do a little research on people.

that post their favorite sports teams on social media, post Green Bay Packers, password. Right, answer, lot of people answer those Facebook posts, those memes that say, where was your first school that you grew up in? It's like, was St. Barman. Yeah, why should people not respond to that? That's great, buddy. That's your security answer to your password, right? Don't do that, okay? People don't do that. Okay, so anyway, he gets that, but what happens? Uber's not dumb, they have what?

What do they have? What's the biggest protection that's required by most cybersecurity, cyber insurance firms? What's the process? You sell a lot of it. should know. you've got, let's see. What are the most popular multifactor authentication? They have multifactor authentication. Okay. Well, there's an approach in security in hackers, that, that, that hackers use. And are we going to get into the terms also? Let me digress here for a second. When we say hackers.

Okay, we do not mean Somebody that has ill intent or there's somebody on the outside of the law or something that's outside of Morality and we're gonna get in this with some upcoming episodes about the terminology and how we have to reset the terminology because When I use the term hacker, I almost mean engineer That's what it's

The definition is really somebody with the ability to gain access that they don't have permission to. It doesn't make them a criminal. Not at all. And frankly, to understand our vulnerabilities, we have to know where we're vulnerable. We have to know. And hackers aren't, this isn't a Greek play. Like people don't always, remember back thousands of years ago, the Greek plays, everybody was all good. And then this character was all bad. Right?

Dino Mauro (55:22.67)
It's not binary like that, right? There are some things that are little gray, there's probably 50 shades of gray in the whole ambit of what a hacker will do in order to expose a vulnerability for an organization so that they can fix it. That's what this is about. Anyway, they aggressed. here, what happened was he gets the guy's information, tries to log in as him, right? Tries to get into Uber. I mean, it's their

Their CEO is testifying at trial in San Francisco. The whole world is watching. The former CISO is testifying last week during this time. Right. So the hacker is trying to get in because man, this would be a good one. Right. He's 18 year old. Yeah. All eyes on me. All eyes on me, man. This is, this is, this is, this is a trophy. This is a huge trophy in the hacking community. So he's trying to get in. Well, guess what's happening. Every time he tries to log in, they say, what's the

Please approve this in the multifactor authentication. So he just keeps doing it. It's, it's a process called multifactor authentication fatigue, meaning you're spamming it right until the person ultimately doesn't want the notifications. As we're talking right now, I hear your frigging phone buzzing and you know, like, the point is, is at a certain point you want to stop it, right? At a certain point you want it to stop and

So what happens is the employee that he ultimately socially engineers to get in doesn't approve it, right? He's like, I'm not trying to log in. I'm either already in or I'm not at work or whatever. I'm not approving it. So then the hacker gets creative and he goes to the WhatsApp and he gets on WhatsApp and then he says to the employees trying to socially engineer, hey, this is...

You know, blah, blah, blah from, from your internal Uber IT team. We're trying to fix some configuration or do something. Please approve the multifactor authentication. So the employee does it. Presses one button on the phone, approving the multifactor authentication. And with that, now hang on with that, he gains access as that employee. So as we know, when this happens,

Dino Mauro (57:49.048)
He now controls that employee's digital life insofar as the sphere of world as an Uber employee, right? He hasn't taken over this personal employee's banking information, his Facebook, his social media account. He hasn't gotten that yet, right? He may, who knows? He may take over all of Uber later, who knows? But as we know now, what he does have though is complete access to what this employee did.

Well, here's where things go south. Apparently, this employee, Uber had a shared drive on there. So let me get the actual information. I'm going to show the screenshots, right? He got in through MFA fatigue, right? And he basically overloaded prompts and notifications on what was said. And this is a very, this whole multifactor authentication fatigue mark. This is what happened with Twilio, MailChimp.

and Okta earlier this year. Wow. This is how they got in. was multi -factor authentication fatigue. So once the attacker obtained valid credentials, they performed this push notification spamming repeatedly until the user approves. This usually happens because the user is distracted or overwhelmed by notifications. And in some cases, it could be misinterpreted as a bug or confused with other legitimate authentication requests. Right. I could see how that would happen.

So here's what happened after the hacker got in. So at a very high level, the consensus appears that there was social engineering, but then he was able to move laterally. So once he's in, he wasn't just in this employee's system. He was able to go through other systems. See, this is where the security architecture, the access, right? We always talk about this.

So much of it depends on what do you, do you really, it all starts with like an inventory. Do you know what's on your network? Do you actually know who at your company can access what? Because most business owners have no idea. They'll ask IT and IT was like, we got this. You're secure. worry about it. The truth is, do some of these, you know, super perfectly. This is where we talk about penetration testing, natural penetration testing with ethical hacking.

Dino Mauro (01:00:13.856)
Until you're able to see where that employee is able to move laterally in an organization and possibly vertically. You don't know. You don't know. And somebody in another department, even if they're allowed to come into the organization's network, there shouldn't have access to other pieces, right? For various reasons, but in a case like this, this is an example, a perfect example of. Yep.

So they were able to move laterally. He was able to move laterally and pivot, right? And then he found administrative credentials that ultimately led him to get the keys to the Uber kingdom. The attacker found high privilege credentials on a network file share. Okay. So he gets to a network file share, right? And then he's able to use those to access everything, including.

production systems, Uber Slack management interface, Slack channel, the company's endpoint detection and response, their EDR portal. The attackers also believe, so check this out, to gain administrative access, not just like view, right? Administrative access to Uber's cloud services. Yeah. That can't good. Amazon Web Services, their AWS.

and their Google cloud, their GCP. That's where Uber stores its source code and customer data, as well as the company's HackerOne bug bounty program. So if you look online, HackerOne has a lot of things they do, the bug bounty program. You remember that bug bounty program is at the heart of the trial of Joe Sullivan right now. Right, right. Because - Maybe tell the listeners.

for first time listeners, what's a bug bounty? What's that? Yeah. Bug bounty program is when people, companies that work in technology, like an app, Uber's an app, right? Well, want the hacking community and it's facilitated by excellent groups like HackerOne. They want them, they have a bug bounty program. If you find a vulnerability, if you can hack into this app, if there's bugs in this app,

Dino Mauro (01:02:34.164)
If it stalls out, if it breaks, if you break our app, tell us and we'll pay you. Right? Basically, they're just contracting out testing of their vulnerabilities and applications. It's quality control. It's research and development. And who can do that? Like if they just employ all these hackers to test it, all these engineers to test it, they know what they know and they don't know what they don't know. You put it out in the wild, the hacking community at large.

Now you're really going to find out what's wrong with your app and they'll pay you for it. Right? Yeah. It's very common. That's how a lot of hackers make their living and there's nothing wrong with it. Like that's what we need. Right? That is what organizations need. Right? If you do it and that's where it gets to gray hat, white hat, black hat, the point is don't do it and then give us ransomware. Just do it and show us the vulnerability so we can fix it and we'll pay you. Right? So.

And that gets into listen to the other episode because that's what Joseph Sullivan and team were claiming happened in the prior breach, but it really didn't happen. They had been compromised. paid them and then they did it. The reason they did that in that case as alleged is because by saying they paid them under the bug bounty program, they wouldn't have to disclose it as a breach. So the stocks wouldn't go down. It wouldn't, but it would know that's what it's all about because it all gets back.

to the psychology of security and trust in privacy. So, it all makes sense, right? So, he seems to have gotten hold of privately disclosed vulnerability reports submitted by HackerOne as part of Uber's bug -bounding program. That's bad. That's not good. So, TechCrunch reports that Sam Curry, a security engineer at Yuga Labs, described the breach as a complete compromise.

He said the threat actor likely had access to all of the company's vulnerability reports, which means they may have had access to vulnerabilities that have not yet been fixed. No, they told him where the holes were. Yeah. So Hacker One disabled the Uber's bug bounty program. They're solid. They're on top of it. And in a statement to TechCrunch, Chris Evans, Hacker One's CISO and chief hacking officer said the company is, quote,

Dino Mauro (01:04:59.862)
in close contact with the security team have locked their data down and will continue to assist with their investigation." So, I mean, look, it looks like the person, like we said earlier, it looks like they were collecting trophies as they bounce through the network and they were posting these trophies as forms of screenshots of various tools and utilities as they moved around Uber. And then they were, I mean, they were posted in publicly.

And I think that's what makes you realize that it really is probably an 18 year old, right? Because it's just so boastful. It's like he's doing it for street cred. Right, right. Right. Look at me. Look what I can. Look what I did. Well, look at the people that we've known that are professional engineers, CISOs today. It started as kids just like this. Yeah. Right. We've talked to people that were freakers back in the day, people that hacked various systems and they just did it.

They might have gotten in trouble. They might have gotten in trouble. They might have been threatened with some trouble. But the point is then they shifted over to seeing how this is actually, you can be a productive member of society by doing it for good cause. It seems like he's trying to build up some street cred and man, he got a whale. This guy got access to their pan to the private access management platform. He got access to everything. He got access to absolutely everything. So.

Again, tell us what your thoughts are. You can send us an email at cybercrimejunkies at gmail .com cybercrimejunkies at gmail .com or info at cybercrimejunkies .com.

Dino Mauro (01:06:34.072)
Today the irony that Joseph Sullivan, a former federal prosecutor himself, who tried some landmark cases as a prosecutor, including the first case in the United States prosecuted under the digital millennium copyright act for the prosecution of a hacker who breached NASA's jet propulsion laboratory. And the irony that he now has been tried and convicted is not lost on him, or the startup community or the cybersecurity community.

The case is resulted in many CISOs, Chief Information Security Officers, questioning their role, questioning their responsibilities when it comes to personal liability and reliance on company leaders, which they serve. More than 20 years after Joseph Sullivan started as a prosecutor against cyber criminals, he found himself on the other side of the table. The verdict after the trial came in last October was clear. Despite thinking he would win at trial, the verdict came in

guilty against Joseph Sullivan. A San Francisco jury found him guilty on charges of obstructing an official proceeding and misprision of a felony, a failure to report the wrongdoing offense. In May of last year, he was sentenced to three years probation. Now many argue the sentence was too light, given that he was facing 20 years in prison. Many argue that it was seriously too heavy.

Didagers of Sullivan, after taking a year to reevaluate his life in the context in which he found himself, is the CEO at a nonprofit dedicated to providing humanitarian and technology aid to the people of Ukraine. And this case has had a huge impact on the community and security leaders and IT leaders across the globe. They're questioning their own roles and potential personal liability when they make decisions or when they rely on

business leaders that aren't as technical. The life lessons found in this case will be long term. Again, let us know in the comments or reach out to us text us direct. It's right in the show notes, you can reach out to us. And it goes right to our podcast studio, we'd love to hear from you. This was the story of what happened to Uber and how Uber broke trust.

Dino Mauro (01:08:57.645)
Well that wraps this up. Thank you for joining us. We hope you enjoyed our episode. The next one is coming right up. We appreciate you making this an award -winning podcast and downloading on Apple and Spotify and subscribing to our YouTube channel. This is Cybercrime Junkies and we thank you for watching.