Ex-Uber security chief found guilty of covering up major data breach in 2016
Joseph Sullivan, former chief security officer of Uber, was convicted of federal charges for concealing a data breach from authorities in 2016. According to The New York Times, a jury in federal court in San Francisco found Sullivan guilty of obstructing the FTC's ongoing investigation of Uber at the time for another offense that occurred in 2014. He was also found guilty. actively hiding a crime from the authorities. Sullivan's case, believed to be the first time an executive has faced criminal charges for hacking, revolves around how the former executive dealt with bad actors who infiltrated Uber's Amazon server and demanded $100,000 from the company.
Hackers contacted Uber shortly after Sullivan requested a deposition from the FTC for its investigation of the 2014 cybersecurity incident. They told him they found a security flaw that allowed them to upload the personal data of 600,000 drivers and additional information related to 57 million drivers and passengers. As reported by The Washington Post, it was later revealed that the hackers found a digital key which they used to access Uber's Amazon account. There they found an unencrypted backup collection of personal passenger and driver data.
Sullivan told them about the company's bug bounty program, which offered a maximum payout of $10,000. However, the hackers wanted at least $100,000 and threatened to release the data they stole if Uber didn't pay. The former security chief paid them the amount they demanded in bitcoins and made it appear that they had been paid under the bug bounty program – an action which was allegedly sanctioned by the general manager of Uber, Travis Kalanick. He also tracked them down and got them to sign non-disclosure agreements.
The former executive's camp argued that Sullivan believed Uber user data was protected after hackers signed an NDA. "Mr. Sullivan believed his customers' data was safe and that this was not an incident that needed to be reported. There was no cover-up and there was no 'obstruction,' said his lawyer David Angeli. But prosecutors disagreed and saw his use of NDAs as a way to cover up the incident. Additionally, they pointed out that the incident should not have qualified for payment under the bug bounty program, which aims to reward friendly security researchers, when bad actors threatened to leak the information. users' personal data if they were not paid the amount they wanted.
Ultimately, the jury agreed with prosecutors that Sullivan should have told the FTC about the data breach. It wasn't until Dara Khosrowshahi took over as CEO that the FTC was made aware of the event. No sentence has yet been handed down, but Sullivan now faces five years in prison for obstruction and up to three more years for failing to report a crime.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you purchase something through one of these links, we may earn an affiliate commission. All prices correct at time of publication.
Joseph Sullivan, former chief security officer of Uber, was convicted of federal charges for concealing a data breach from authorities in 2016. According to The New York Times, a jury in federal court in San Francisco found Sullivan guilty of obstructing the FTC's ongoing investigation of Uber at the time for another offense that occurred in 2014. He was also found guilty. actively hiding a crime from the authorities. Sullivan's case, believed to be the first time an executive has faced criminal charges for hacking, revolves around how the former executive dealt with bad actors who infiltrated Uber's Amazon server and demanded $100,000 from the company.
Hackers contacted Uber shortly after Sullivan requested a deposition from the FTC for its investigation of the 2014 cybersecurity incident. They told him they found a security flaw that allowed them to upload the personal data of 600,000 drivers and additional information related to 57 million drivers and passengers. As reported by The Washington Post, it was later revealed that the hackers found a digital key which they used to access Uber's Amazon account. There they found an unencrypted backup collection of personal passenger and driver data.
Sullivan told them about the company's bug bounty program, which offered a maximum payout of $10,000. However, the hackers wanted at least $100,000 and threatened to release the data they stole if Uber didn't pay. The former security chief paid them the amount they demanded in bitcoins and made it appear that they had been paid under the bug bounty program – an action which was allegedly sanctioned by the general manager of Uber, Travis Kalanick. He also tracked them down and got them to sign non-disclosure agreements.
The former executive's camp argued that Sullivan believed Uber user data was protected after hackers signed an NDA. "Mr. Sullivan believed his customers' data was safe and that this was not an incident that needed to be reported. There was no cover-up and there was no 'obstruction,' said his lawyer David Angeli. But prosecutors disagreed and saw his use of NDAs as a way to cover up the incident. Additionally, they pointed out that the incident should not have qualified for payment under the bug bounty program, which aims to reward friendly security researchers, when bad actors threatened to leak the information. users' personal data if they were not paid the amount they wanted.
Ultimately, the jury agreed with prosecutors that Sullivan should have told the FTC about the data breach. It wasn't until Dara Khosrowshahi took over as CEO that the FTC was made aware of the event. No sentence has yet been handed down, but Sullivan now faces five years in prison for obstruction and up to three more years for failing to report a crime.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you purchase something through one of these links, we may earn an affiliate commission. All prices correct at time of publication.
What's Your Reaction?
