Former Uber security chief guilty of data breach coverup



The previous chief safety officer for Uber was convicted Wednesday of making an attempt to cowl up a 2016 knowledge breach by which hackers accessed tens of tens of millions of buyer data from the ride-hailing service.

A federal jury in San Francisco convicted Joseph Sullivan of obstructing justice and concealing information {that a} federal felony had been dedicated, federal prosecutors mentioned.

Sullivan stays free on bond pending sentencing and will face a complete of eight years in jail on the 2 costs when he’s sentenced, prosecutors mentioned.

“Know-how firms within the Northern District of California acquire and retailer huge quantities of knowledge from customers,” U.S. Legal professional Stephanie M. Hinds mentioned in an announcement. “We is not going to tolerate concealment of necessary data from the general public by company executives extra all in favour of defending their repute and that of their employers than in defending customers.”

It was believed to be the primary prison prosecution of an organization govt over a knowledge breach.

A lawyer for Sullivan, David Angeli, took concern with the decision.

“Mr. Sullivan’s sole focus — on this incident and all through his distinguished profession — has been making certain the security of individuals’s private knowledge on the web,” Angeli instructed the New York Instances.

An electronic mail to Uber looking for touch upon the conviction wasn’t instantly returned.

Sullivan was employed as Uber’s chief safety officer in 2015. In November 2016, Sullivan was emailed by hackers, and workers rapidly confirmed that that they had stolen data on about 57 million customers and in addition 600,000 driver’s license numbers, prosecutors mentioned.

After studying of the breach, Sullivan started a scheme to cover it from the general public and the Federal Commerce Fee, which had been investigating a smaller 2014 hack, authorities mentioned.

In accordance with the U.S. legal professional’s workplace, Sullivan instructed subordinates that “the story outdoors of the safety group was to be that `this investigation doesn’t exist,”‘ and organized to pay the hackers $100,000 in bitcoin in change for them signing non-disclosure agreements promising to not reveal the hack. He additionally by no means talked about the breach to Uber attorneys who had been concerned with the FTC’s inquiry, prosecutors mentioned.

“Sullivan orchestrated these acts regardless of understanding that the hackers had been hacking and extorting different firms in addition to Uber,” the U.S. legal professional’s workplace mentioned.

Uber’s new administration started investigating the breach within the fall of 2017. Regardless of Sullivan mendacity to the brand new chief govt officer and others, the reality was uncovered and the breach was made public, prosecutors mentioned.

Sullivan was fired together with Craig Clark, an Uber lawyer he had instructed concerning the breach. Clark was given immunity by prosecutors and testified in opposition to Sullivan.

No different Uber executives had been charged within the case.

The hackers pleaded responsible in 2019 to pc fraud conspiracy costs and are awaiting sentencing.

Sullivan was convicted of of obstruction of proceedings of the Federal Commerce Fee and misprision of felony, which means concealing information of a felony from authorities.

In the meantime, some specialists have questioned how a lot cybersecurity has improved at Uber for the reason that breach.

The corporate introduced final month that each one its providers had been operational following what safety professionals referred to as a serious knowledge breach, claiming there was no proof the hacker obtained entry to delicate person knowledge.

The lone hacker apparently gained entry posing as a colleague, tricking an Uber worker into surrendering their credentials. Screenshots the hacker shared with safety researchers point out they obtained full entry to the cloud-based methods the place Uber shops delicate buyer and monetary knowledge.

It isn’t identified how a lot knowledge the hacker stole or how lengthy they had been inside Uber’s community. There was no indication they destroyed knowledge.


Please enter your comment!
Please enter your name here