By Sophie Sahagun
Online databases are a part of modern life in both the public and private sectors. Organizations and companies that store personal data of employees and users must acknowledge that hacking and data breaches are now a permanent part of life at any entity reliant on computer technology. Such companies must redesign their platforms with resilience against hacking in mind. Firewall strategies that focus on prevention alone are no longer enough. Instead, companies should both work to prevent breaches and have strategies prepared to quickly fix problems as they arise. This will ensure that when attacks inevitably do occur, they will cause minimal privacy breaches, data leaks and interruptions in company operations. Not only will this better protect the private data of employees and users and maintain operations in the event of an attack, but future legal liability will be reduced by new business structures that reflect improved planning for cyberattacks. As a result of investing in this planning, companies may also avoid costly class action lawsuits. With current preventative measures alone, hackers are often able to take control of companies’ online databases and make brazen demands for large ransom payments.[1] Serious legal consequences in the form of Securities Exchange Commission (SEC) investigations, hundreds of millions of dollars in fines and even criminal charges await organizations and/or leaders who attempt to cover up breaches and make ransom payments to hackers.[2]
Often, hacking occurs simply—via social engineering. Social engineering is a practice by which hackers gain access to important cloud-based databases by manipulating users to reveal credentials granting access to those databases.[3] For example, a hacker may impersonate another employee at the company and request assistance that requires access to the database.[4] Importantly, hackers choose this method because it is often far easier and faster to manipulate people than it is to identify and bypass structural weaknesses in a platform’s software or network.[5] Successful hackers can obtain illicit access to information they then either steal or use as leverage for a ransom.
Once a breach to a database, file, or private communication occurs, both private and public entities are required to promptly report the breach in compliance with both state and federal laws.[6] Each state has similar but slightly different laws that require notification to both state authorities and the residents who are affected by the leak, depending on how many individuals are affected by the leak.[7] President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) into federal law in March of 2022, which requires that data breaches and ransom payments to hackers be reported to the Cybersecurity and Infrastructure Security Agency (CISA) quickly.[8] The exact scope of this law is undetermined, however, because CISA must first establish the specific rules by which the law will be enforced.[9] On September 12, 2022, CISA made a formal public request for information (RFI), seeking public input on the policies and procedures CISA should follow to make this law as effective as possible in remedying data breaches.[10] The window to submit commentary for the RFI closed on November 14, 2022.[11] The actual parameters of the law will not take shape until after a final ruling is made on CISA’s proposed rules.[12]
Two case studies of cyberhacking at Uber best illustrate the need for company infrastructure that anticipates and fixes hacking issues as they arise. The first was a 2016 hack that was covered up, and not revealed to the public or to law enforcement until 2017. A second major security breach at Uber occurred in September 2022. This paper will explore both hacks: their aftermath, their legal consequences, and possible strategies that could have prevented the damage. Finally, I will discuss an important strategy that CISA should incorporate into its new federal rules.
The 2016 Cyberattack on Uber
In October 2016, hackers attacked Uber and stole the personal information of 57 million users, both employees and customers.[13] This information included names, email addresses and phone numbers.[14] Additionally, driver’s license numbers for some 600,000 drivers were stolen. The hackers were able to gain access to Uber’s GitHub account, utilized by its software engineers.[15] Hackers then obtained login credentials to Uber’s cloud storage within Amazon Web Services, and gained access to the personal data of millions of individuals.[16] Uber illegally concealed the data leak and paid $100,000 to the hackers in exchange for “assurances” that the data would be deleted and that the hackers would keep the leak a secret.[17] The executives responsible for this cover-up were fired as a result of their failure to follow the applicable reporting obligations under state and federal law.
Though Uber’s data leak is far from unusual with regard to the number of affected individuals and the amount of information compromised, Uber’s handling of the issue came under legal scrutiny and resulted in fines, criminal charges and the termination of multiple executives within the company. Uber provided the hackers with payment, both as ransom for the release of the data and as “hush money” to entice them into keeping quiet about the breach.[18] Apparently, using that money, those hackers went on to attack other companies.[19]
Legal Ramifications
A. The FTC
The Federal Trade Commission (FTC) is a federal agency created by the Federal Trade Commission Act of 1914 and was designed to enforce consumer protection and antitrust laws.[20] When faced with a potential violation, the FTC will start by exercising its investigative powers, explicated by Sections 6, 9 and 20 of the Federal Trade Commission Act. This grants the agency power to subpoena witnesses for testimony relevant to an ongoing investigation. Failure to comply with a subpoena results in judicial enforcement by federal civil courts, and the FTC has discretion to share the information gathered via testimony with other government agencies.[21] If the information gathered provides the FTC reason to believe that the relevant law is or was violated, the FTC may then exercise its enforcement powers. One method is a formal administrative complaint against the alleged party violating the law. The party may elect to settle, which involves consenting to a final order by the FTC and waiver of judicial review. The FTC must then accept the settlement offer and issue an order that becomes final after 30 days during which it is open for public comment.[22] Respondents have 60 days to appeal in federal appellate courts, but once an order is final, a respondent found in violation is responsible for civil penalties decided by federal district courts.[23] The FTC may even seek preliminary and/or permanent injunctions with the help of federal courts against parties thought to be currently violating the law.[24]
The FTC has expressed concern about Uber’s cybersecurity since a breach occurred in 2014, but their scrutiny of Uber heightened when news of the 2016 breach broke in 2017, during an existing FTC investigation.[25] In light of the 2016 breach, and Uber’s failure to disclose it, the settlement agreement between the FTC and Uber was expanded to include additional requirements. One requirement is that Uber submit to regular third-party audits of its security and provide these reports regularly to the FTC. Failure to comply would result in significant civil penalties.[26]
Ultimately, Uber agreed via settlement with the FTC to implement a comprehensive data security plan.[27] This plan was to consist of “1) secure software design, development, and testing, including access key management and secure cloud storage; 2) how Uber reviews and responds to third-party security vulnerability reports, including its bug bounty program; and 3) prevention, detection, and response to attacks, intrusions, or systems failures.”[28] In addition, Uber will have to submit a report to the FTC whenever it is required to report to any government agency, local, state or federal.[29]
B. Judicial Penalty via Civil and Criminal Charges
In 2016, Uber was formally subpoenaed to present any and all relevant information to the FTC . However, Uber knowingly failed to report the breach.[30] As a result of this failure, the U.S. Department of Justice entered into a settlement agreement with Uber stipulating to conditions it must meet in order to avoid future prosecution.[31] One requirement of this settlement agreement was that Uber must comply with its revised 2018 agreement with the FTC, including timely and regular reports of all relevant information to the FTC for a period of 20 years, as well as with the Department of Justice’s stipulated corporate integrity and restructuring terms.[32] The settlement agreement with the U.S. Department of Justice also required Uber to admit fault in allowing the data breach to occur, which is not required of an FTC settlement agreement. As a result of the settlement, Uber ultimately faced civil penalties of $148 million.[33]
The Department of Justice was ultimately willing to settle with Uber, rather than bring forward criminal charges against its leadership, for two reasons. First, the leadership responsible for the reporting failure of 2016 was fired from the company in 2017, and new leadership immediately reported the failure to the FTC. Second, a major part of the settlement agreement required Uber’s full compliance with its prosecution of former Uber chief security officer Joseph Sullivan.[34] On October 5, 2022, Joseph Sullivan was found guilty in a Northern California federal district court of obstruction of justice and misprision of a felony in connection with the 2016 data breach, and is currently awaiting sentencing.[35] One important takeaway from this finding is that the deliberate concealment of relevant information from a federal agency conducting an investigation will be considered criminal—this serves as a major warning to other companies who have and will find themselves similarly situated to Uber.[36]
The 2022 Cyberattack on Uber
Another significant data breach, described by some as the “worst case scenario,” occurred for Uber on September 15, 2022[37], Uber was forced to take multiple internal networks and systems offline after it discovered that a cyberattack occurred. The hacker was able to gain access to Uber’s internal Slack communications network, and in Slack announced themselves as a hacker and provided screenshot photos of the internal systems they were able to access. The hacker even explained how they were able to gain access—via posing as an authority and requesting a password from an employee. With this single employee’s information, the hacker was able to gain access to numerous internal systems.[38]
Uber immediately reported the attack to the FTC.[39] This was its most important obligation under the 2018 agreement and the government’s biggest concern. Thus, even if better technological infrastructure throughout Uber’s internal systems in the wake of the 2016 attack could have prevented this breach, Uber was unlikely to be forced to pay a fine for failure to report. Even a civil penalty requiring Uber to pay damages to its users would likely not impact Uber operations very much, given that Uber is a multibillion-dollar company.
Issues of Incentive
Basic economic principles of supply and demand offer Uber limited incentive to fortify itself against data breaches and attacks. For example, $148 million in one-time fine payments is little incentive to overhaul and maintain an entirely new and more secure way of operating, because many view this as simply the cost of doing business for a behemoth like Uber.[40]
Incentives large companies consider in deciding to make changes usually come in the form of expensive civil litigation, especially consumer class action lawsuits, among other things. However, unlike other large companies, consumer class actions pose very little threat to Uber and as a result, Uber has little motive to modify its policies. The terms and conditions each employee and user must sign in order to use the Uber app require each individual to agree to arbitration, severely limiting their ability to sue via class action.[41] The recent Supreme Court decision in Viking River Cruises, Inc. v. Moriana upheld the use of arbitration clauses in contracts, which allow companies like Uber to limit their liability in terms and conditions agreements and makes filing certain types of lawsuits more difficult for consumers.[42]
But even if there were expensive consumer class action lawsuits, most courts cannot agree about how to evaluate the cause of action. There is difficulty linking individual harms to specific breaches and defining the harm victims of such breach endure. For example, when someone’s personal data is compromised by a data leak, but no evidence exists that it is used for a harmful purpose, there is only a risk, not a harm. Many courts believe that risk alone is not enough to confer standing to sue to an individual or a class.
Worse yet for data breach victims, TransUnion LLC v. Ramirez 141 S. Ct. 2190 (2021) is the new standard. This case holds that statutory violations cannot confer standing to a plaintiff who has not suffered a cognizable harm previously recognized by the court. This means that an attempt to codify the legal status of a data breach via a statute that confers civil standing and a right to remedy to any plaintiff who is the victim of a data leak may not succeed. For example, if a statute said any victim of a data breach within a certain scope may bring a claim in court, courts will likely say the statute on its own is not sufficient to grant standing to a plaintiff.
When individuals do suffer harm because of a data breach, it is also difficult to trace data breaches to specific sources. Entities public and private and widely ranging in size suffer data breaches each day, from the Los Angeles Unified School District to Uber.[43] It is difficult to prove that misuse of any individual’s leaked username and password occurred because of Uber and not, for example, because of Lyft or another company entirely.
What Can Companies Do in the Future to Improve Their Data Protection?
A. Real-Time Threat Detection
Prevention is good, but threat detection is crucial. The days of firewall reliance are long gone; companies cannot guarantee that prevention works alone and must find ways to stop hackers in real time. “Utilizing adaptive techniques that create a baseline of how users interact with a network and can identify odd behavior, which might be a sign of a malicious attack. Today, prevention has a place, but in order to reduce the impact of breach attempts, it must be backed up by threat detection and action.”[44]
B. End Over-reliance on Single Password Access
Companies overly rely on passwords to protect information. Multi-factor authentication could help protect the organization, and prevent reliance on single, easily breached passwords.
C. Employee Training to Prevent Social Engineering
The use of hands-on training with realistic scenarios will help guide employees regarding what to do if a hacker is posing as a superior to gain passwords and access, as well as how to tell imposters apart from real superiors within the company.[45]
What Should CISA Include In Its Policies and Procedures Under CIRCIA?
One major aspect of CISA, President Biden’s executive order intended to improve cybersecurity, is the creation of a standardized method for responding to and mitigating the damage of cybersecurity breaches and attacks. This method, combined with prompt reporting by companies, could lead to swift handling of problems that protects consumers directly by federal agencies.[46] More specific criterion for handling cybersecurity at the federal level will become a template for how companies can handle breaches moving forward.[47]
Conclusion
Uber is one of many companies with significant access to our private information, and data breaches occur every day. Because of a combination of no-prosecution settlement agreements and arbitration clauses that remove them, there is little incentive for companies to strictly adhere to legal guidelines and laws. There must be greater legal penalty to major tech companies, either via economic incentive or regulation or both, who fail to upgrade their systems to prevent cyberattacks.
[1] Christian Martinez, Hackers Demanded Ransom from LAUSD. The District Refused to Pay. Los Angeles Times, Oct. 3, 2022.
[2] Kate Conger & Kevin Roose, Uber Investigating Breach of Its Computer Systems, New York Times, Sep. 15, 2022.
[3] Linda Rosencrance, Social Engineering, TechTarget (2021), https://www.techtarget.com/searchsecurity/definition/social-engineering (last visited Nov. 20, 2022).
[4] Id.
[5] Id.
[6] Selena Larson, Uber’s massive Hack: What We Know, CNN Business, Nov. 23, 2017.
[7] Perkins Coie, Security Breach Notification Chart By State, https://www.perkinscoie.com/images/content/2/4/246420/Security-Breach-Notification-Law-Chart-Sept-2021.pdf (last visited Nov. 20, 2022).
[8] Cybersecurity & Infrastructure Security Agency, Cyber Incident Reporting For Critical Infrastructure Act of 2022 (CIRCIA), https://www.cisa.gov/circia (last visited Nov. 20, 2022).
[9] Id.
[10] Request for Information on the Cyber Incident Reporting for Critical Infrastructure Act of 2022, Federal Register (2022) https://www.federalregister.gov/documents/2022/09/12/2022-19551/request-for-information-on-the-cyber-incident-reporting-for-critical-infrastructure-act-of-2022 (last visited Nov. 20, 2022)
[11] Id.
[12] Federal Register, supra note 10.
[13] Elizabeth Weise, Uber Paid Hackers $100,000 to Hide Year-Old Breach of 57 Million Users, USA Today, Nov. 21, 2017.
[14] Id.
[15] Id.
[16] Id.
[17] Eric Newcomer, Uber Paid Hackers to Delete Stolen Data on 57 Million People, Bloomberg, Nov. 21, 2017.
[18] Baker Hostetler Resources, Former Uber Chief Security Officer Convicted of Federal Obstruction and Concealment Crimes in Connection with Extortionate Data Breach, Oct. 11, 2022.
[19] Id.
[20] Federal Trade Commission, History, https://www.ftc.gov/about-ftc/history (last visited Nov. 20, 2022).
[21] Federal Trade Commission, A Brief Overview of the Federal Trade Commission’s Investigative, Law Enforcement, and Rulemaking Authority, https://www.ftc.gov/about-ftc/mission/enforcement-authority (last visited Nov. 20, 2022).
[22] Id. at §2(A)(1).
[23] Id. at §2(A)(2).
[24] Id. at §2(B).
[25] Lesley Fair, FTC Addresses Uber’s Undisclosed Data Breach in New Proposed Order, Federal Trade Commission Blog (2018).
[26] Uber Agrees to Expanded Settlement with FTC Related to Privacy, Security Claims, Federal Trade Commission Release, Apr. 12, 2018.
[27] Lesley Fair, supra note 25.
[28] Id.
[29] Id.
[30] Uber Enters Non-Prosecution Agreement Related to 2016 Data Breach, U.S. Attorney’s Office Press Release, Jul. 22, 2022.
[31] Id.
[32] Id.
[33] Bill Chappell, Uber Pays $148 Million Over Yearlong Cover-Up Of Data Breach, NPR Business, Sep. 27, 2018.
[34] Id.
[35] Baker Hostetler Resources, supra note 18.
[36] Id.
[37] Eric Kedrosky, Uber Data Breach is Worst Case Scenario, Security Boulevard, Sep. 17, 2022.
[38] Kate Conger & Kevin Roose, supra note 2.
[39] Lindsay Shachnow, Uber Users: What You Need to Know about Last Month’s Data Breach, Boston University Today, Oct. 11, 2022.
[40] Alison Frankel, Data Breach Class Actions Are the Least of Uber’s Problems, Reuters, Nov. 27, 2017.
[41] Uber Legal, https://www.uber.com/legal/en/ (last visited Nov. 20, 2022).
[42] Supreme Court Sides with Viking River Over Arbitration of California PAGA Claims, Ogletree Denkins Insights, Jun. 15, 2022.
[43] Christian Martinez, supra note 1.
[44] Dennis Scimeca, Uber Got Uber-Hacked, Industry Week, Sep. 16, 2022.
[45] Lindsay Shachnow, supra note 39.
[46] Executive Order on Improving the Nation’s Cybersecurity, Cybersecurity & Infrastructure Secrutiy Agency, https://www.cisa.gov/executive-order-improving-nations-cybersecurity (last visited Nov. 20, 2022).
[47] Id.