On November 14, 2016, two people contacted Uber to say they had downloaded the personal records of fifty-seven million users and drivers, and they wanted to be paid. Inside the company, the breach was confirmed within days. Within weeks, it was closed — passwords reset, multi-factor authentication required on the developer accounts that had been the way in, the exposed cloud key rotated, the datastore locked down. By any technical measure, Uber handled the incident quickly.

That is the part of the story that tends to get lost. The break-in itself was unremarkable. A password reused from another breach opened a private code repository. Inside the code sat an access key, written in plain text, that unlocked the datastore. The records were stored without encryption, so anyone who reached them could read them. None of the four controls that would have stopped this were exotic; all four were baseline, and the company put them in place once it knew. If the story ended there, it would be one more entry in a long ledger of preventable breaches.

It does not end there, and the reason it became a landmark has nothing to do with how the data was taken. It has to do with what happened after the company already knew.

When the breach was confirmed, Uber was not free to decide privately how to respond. Eighteen months earlier, after a separate 2014 compromise, the Federal Trade Commission had issued a Civil Investigative Demand — a binding legal instrument that, among other things, required Uber to report future unauthorised access to personal data. The order was active on the day the 2016 breach was confirmed. The obligation to disclose was not a matter of judgment or public relations. It was already law for this company.

What Uber did instead was route a hundred thousand dollars to the attackers through its bug-bounty platform, structured to look like a reward for a security researcher, and have them sign agreements stating that no data had been taken. The disclosure did not happen for a year.

The federal case that followed did not charge anyone for the breach. It charged Joseph Sullivan, the chief security officer, for the concealment — on two counts. Obstruction of justice covered withholding the breach from the FTC while its investigation was open and its order in force. Misprision of a felony covered something narrower and, for anyone in the field, more pointed: it is the crime of knowing a felony has occurred and taking active steps to conceal it. The distinction is the word active. A failure to report is an omission; the payment dressed as a bounty and the agreements asserting nothing was taken were acts, and it was the acts that turned an unmet reporting obligation into a personal crime.

A jury convicted Sullivan in 2022. He was sentenced to three years of probation in 2023. In March 2025, the Ninth Circuit Court of Appeals affirmed the conviction, which makes the precedent settled appellate law rather than a single jury’s verdict.

Here is the part the episode could only point at. For most of the history of corporate security, the consequences of a mishandled breach landed on the company: a fine, a consent decree, a quarter of bad headlines, sometimes a firing. The individual who made the call was insulated by the institution around them. That insulation is what the Sullivan case removed. The decision to conceal a known breach is now something a person can be convicted for, individually, regardless of what the company absorbs in parallel. The role of chief security officer carries an exposure it did not carry before — not for failing to prevent an attack, but for what one does in the hours after discovering one.

There is a second thread worth pulling, because it complicates a system the security industry generally regards as a good one.

A bug-bounty program is a standing arrangement: a company invites outside researchers to find weaknesses and report them through a managed platform, and pays them for doing so. The platforms exist to make that exchange orderly and documented. The payment is logged. The researcher’s identity is verified. The disclosure leaves a paper trail. All of that machinery is built to create a clean, auditable record of legitimate security work.

In this case, the same machinery was used to produce the opposite. The people being paid were not researchers who had found a flaw; they were attackers who had taken data and asked for money. The payment ran through the platform anyway, recorded as a reward. The agreements they signed entered the file as evidence that nothing had happened. Every artifact that normally signals a healthy disclosure — the logged payment, the verified identity, the signed paperwork — was present, and every one of them was pointed backward, building a record in which a breach of fifty-seven million people did not exist.

What that shows is that a process designed to create trust can also be used to launder its absence. A bounty payment is not self-authenticating. A reward in a platform’s ledger says that money moved through a channel; it does not, on its own, say the money paid for research rather than for silence. That distinction lives in facts the ledger does not capture — what was taken, by whom, and what was demanded — and those were exactly the facts the structure was being used to bury.

The four controls that were missing before this breach had all been available beforehand, the earliest of them for years. Putting them in place afterward took a matter of weeks. The breach was the recoverable part.

The concealment was not. Disclosure exists so that the people whose data was taken can act on it — watch their accounts, change what can be changed — and for a year, fifty-seven million people did not have that option. The law now treats the choice to impose that silence as one a person makes on their own account. That is the line the Uber case drew, and the appeals court has left it standing.

Zerodaylogs Ep09 Technicalbreakdown V1

29KB ∙ PDF file

Download

Download

Watch or listen to the full episode, and download the one-page technical breakdown — the timeline, the attack path, and the four controls that were missing — at zerodaylogs.com.