Analysis: How Uber Covered Up a Breach and Avoided Charges
Also: Security Startups Halt Growth; FTC Updates Anna Delaney (annamadeline) • July 28, 2022 12 MinutesThe latest edition of the ISMG Security Report analyzes a settlement with the U.S. Department of Justice, in which Uber accepts responsibility for a 2016 data breach cover-up to avoid criminal charges. It also discusses why early stage start-ups are conserving cash and recent initiatives from the U.S. Federal Trade Commission.
In this report, you'll hear (click on player beneath image to listen):
- ISMG's Mathew Schwartz discuss how ride-sharing service Uber has reached an agreement with the Justice Department to resolve a criminal investigation into its massive 2016 data breach;
- ISMG's Michael Novinson explain why early-stage security startups are pumping the brakes on growth;
- Lisa Sotto of Hunton Andrews Kurth LLP share privacy and data security initiatives to watch from the U.S. Federal Trade Commission.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the July 15 and July 22 editions, which respectively discuss why ransomware attacks are intensifying and what happened to Russia's cyber war in Ukraine.
Theme music for the ISMG Security Report is by Ithaca Audio under a Creative Commons license.
Anna Delaney: Uber escapes prosecution after covering up 2016 data breach, and why nascent security startups are ditching the growth of at-all-costs mantra, these stories and more on this week's ISMG Security Report.
(Theme music)
Hello, I'm Anna Delaney. Uber has reached an agreement with the US Department of Justice to resolve a criminal investigation into its massive 2016 data breach. But the saga isn't over yet. Mathew Schwartz, ISMG's executive editor of DataBreachToday in Europe, investigates.
Mathew Schwartz: There's news in the long running saga of Uber's 2016 data breach. The US Department of Justice has dropped its criminal prosecution of the ride-sharing service after Uber signed a non-prosecution agreement. So, Uber's November 2016 breach involved hackers stealing legitimate credentials, using them to access Uber's private source code repository and then stealing information on numerous drivers and riders. In total, the hackers obtained records on approximately 57 million users as well as 600,000 driver's license numbers. The government's probe was driven by Uber's former senior management team having failed to report the 2016 data breach to the Federal Trade Commission. The FTC said Uber was required to do so because at that time, it was facing a pending FTC investigation into its cybersecurity practices over a 2014 data breach. So, the DOJ says its decision to drop this investigation, which was being led by the FBI, is based on multiple factors that includes the company's newly hired CEO in late 2017, immediately reporting the 2016 breach to the public as well as to regulators. The company also subsequently invested substantial resources to significantly restructure and enhance the company's compliance, legal, and security functions, according to the DOJ. Uber has taken numerous steps to overhaul its cybersecurity program, in particular. In October 2018, Uber reached an agreement with the FTC stipulating that it will maintain a comprehensive privacy program for 20 years, as well as report all unauthorized access to individuals' personal information being held by Uber to the FTC and other relevant authorities. Finally, Uber has agreed to continue cooperating with the government's ongoing prosecution of former chief security officer Joe Sullivan. He's been accused of attempting to cover up the 2016 breach by disguising an extortion payment to the hackers as a bug bounty. Specifically, Sullivan's been charged with paying two hackers $100,000 in hush money to cover up the breach. The hackers later pleaded guilty to computer fraud conspiracy charges. Sullivan is on the hook because he had been designated by Uber as being the person legally responsible for communicating with the FTC during its probe. As a side note, he formerly worked as Assistant US Attorney for the San Francisco US Attorney's Office, which is now prosecuting him. Sullivan denies the allegations. A spokesman for Sullivan told me that every action Sullivan and his breach response team took involved close collaboration with legal, communications, and other relevant teams at Uber in accordance with the company's written policies. So, Travis Kalanick, who is the CEO of Uber at the time of the data breach, has not been charged. And legal experts have told me that the case against Sullivan highlights a number of best practices that chief information security officers should always follow. One of the big ones is they should always keep their company's lawyer closely apprised of what they're doing, and get them to approve it in writing. For Information Security Media Group, I'm Mathew Schwartz.
(Transition ad: You're listening to the ISMG Security Report on ISMG Radio. ISMG, your number one source for information security news.)
Delaney: Our managing editor for business Michael Novinson writes that gone are the days of early-stage security startups promising to double sales each year, while burning cash on marketing programs even faster than they're bringing in new business. I caught up with him to find out why the second half of 2022 is all about taking a path to profitability. Very good to see, Michael. You wrote in a recent article that nascent startups are ditching the growth of at-all-costs mantra in favor of a novel idea: profitability. Tell us what's happening.
Michael Novinson: Anna, thank you for having me on. We've seen a shift, particularly at the series A and Series B phase, where historically, investors wanted to see that top-line growth and expansion and adding additional customers and they're looking for more, what would I call responsible growth, less of a push toward triple-digit, 100% year-over-year revenue increases and more in the 50 to 70% ballpark. So, they're not expanding as many marketing resources, or into non-poor markets or non-core technologies, and healthy growth that while the startup may not be making money now, at least there's a path to profitability in the next three to five quarters for that startup. Since essentially, each investor wants to ensure that they're able to exit at a profit, they understand that the folks who are investing a series D or C or series D, are more focused on profits and that's moved down to the early-stage folks as well. So, it is causing early-stage startups to rethink how they approach scaling and their product strategy and the go-to-market strategy.
Delaney: It's not just investors who are tightening their belts, is it?
Novinson: We are seeing customers as well start to shift their buying behavior and it's in certain characteristics that it's the net new customers who are facing the most resistance to adding new security technologies, that the budget isn't there, you can't do it off cycle, even if the CISO like the Proof of Concept, that isn't a lot. So, it is harder to get those net new customers on, which is a key metric for early-stage startups to validate their 'prior to the market' is bringing on that new customers. And that's hard to do. Now, a lot of them want to defer a quarter or two, then upsell existing customers, when it comes time for renewals that the security department is facing more scrutiny from the financial department to hold spending in line. So, existing customers will renew this. It's not that customers are walking away from their existing spending with early-stage startups. But in order to grow that voluntarily through your existing or net new customers is more challenging right now.
Delaney: Michael, what is your advice to founders of startups in these deteriorating market conditions? How should they adapt? And do you think this could be a long rocky road ahead for them?
Novinson: What I heard from venture capitalists is that it's about getting back to basics here and figuring out what is it that you do best? What is the technology that you're selling that makes the most money? What are the market segments, customer size, verticals, geographies, where you're strongest, and doubling down on those, not using this as a time to try to push into adjacent technologies, or to try to build out a channel and go down market or if you're a North American startup, trying to push into Europe to focus on what exactly you do best, so that you can show the ability to grow top line without hampering your bottom line. The phrase that comes up a lot nowadays is cash runway and making sure that you have enough money to get through a rainy day. And the timeframe people are recommending nowadays is two years of cash. Most downturns, whether it's 2001 or 2008, the formal recessions almost never last for more than 24 months. So, if you have two years of cash, in all likelihood, come 2024, if it's time to raise another round, America will be better, and conditions will be more favorable. But for folks who do need to raise money, either this year or perhaps early next year, they're going to have some tough choices to face: do they take less money, but try to keep their valuation and have the founders maintain their stake in the company? Or do they want to raise a larger amount which may mean either that the founders have to dilute their stake in the company, they have to give up a larger stake than they'd like to investors, or they have to take their cut in their valuation in comparison to what they're valued at 2020 and 2021. So, difficult decisions coming up for early-stage startups. You do not have much cash right now.
Delaney: Michael, thank you for these insights and for sharing your perspective on these market trends.
Novinson: Thank you for having me.
Delaney: 2022 has been a busy year for the Federal Trade Commission, which has released several privacy and data security updates. Legal expert Lisa Soto of Hunton Andrews Kurth shares the initiatives that she's watching with the most interest.
Lisa Sotto: While the FTC has been extremely active, it is fascinating to watch what the commission is doing. Three themes that I would just bring to the fore today. First, there's a focus on strengthening kids' privacy. That is true both at the FTC and in Congress. It's a reasonably non-controversial point. So it's somewhat easier than other types of data protection to protect kids' privacy, so we're going to see continued focus on strengthening the privacy of children's data. I'll also note that the FTC recently came out with a statement indicating that they are putting in place a de facto data breach reporting obligation at the federal level. That is a real sea change. There are no general data breach reporting obligations at the federal level. At the state level, there are 54 data breach notification laws in the United States, which is the 50 states plus Guam, US Virgin Islands, Puerto Rico and DC. But at the federal level, we have industry-sector specific reporting obligations, under HIPAA, the Gramm-Leach-Bliley Act, but not a generalized breach reporting obligation. The FTC recently brought an enforcement action and came out with a blog post to say that in some cases, there would be a de facto breach reporting obligation. That is going to be interesting to watch to see whether they use their section five authority with respect to breach notification where it may not be required at the state or other federal level. And then the third area to watch is the FTC is considering a rulemaking. They would like to curb lax security practices. I also want to focus on not allowing algorithmic decision making where it may result in unlawful discrimination, and then also focus on curbing privacy abuses. So I think those are three areas to watch and a number of others coming from the FTC now.
Delaney: That's it from the ISMG Security Report. Theme music is by Ithaca Audio. I'm Anna Delaney. Until next time.