Former Uber security chief found guilty of covering up 2016 data breach
Former Uber security chief convicted of criminal obstruction for trying to cover up a data breach that resulted in the theft of tens of millions of customer records and drivers.
A federal jury in San Francisco has found Joseph Sullivan, the former chief security officer (CSO) of Uber, guilty of obstructing justice and concealing knowledge that a federal crime had been committed. confirmed Wednesday the Ministry of Justice.
The case relates to a 2016 breach of Uber's systems that exposed the data of 50 million customers and seven million drivers, including names, email addresses, phone numbers and approximately 600,000 Driver's license numbers for US drivers were also included in the violation. .
The data breach happened just months after Sullivan was hired by Uber to help the company bolster its cybersecurity after a small breach in 2014 saw hackers access the personal information of about 50 000 consumers.
After learning of the 2016 breach, Sullivan launched a scheme to hide it from the public and the Federal Trade Commission (FTC), which was investigating the 2014 breach, prosecutors say.
Sullivan, who is now Cloudflare's CSO, told a subordinate that information about the breach should be "tightly controlled" and that the story outside of the security group should be that "this investigation does not exist. not". He also arranged to pay hackers $100,000 under the guise of a bug bounty program in exchange for signing nondisclosure agreements promising not to reveal the hack.
Uber fired Sullivan in 2017, and in 2020 federal prosecutors charged him with one count of obstruction and one count of error in a felony. His trial is believed to be the first time a corporate executive has faced criminal charges for hacking.
“Tech companies in the Northern District of California collect and store vast amounts of user data,” said U.S. Attorney Hinds. "We expect these companies to protect this data and alert customers and appropriate authorities when this data is stolen by hackers. We will not tolerate company executives withholding important information from the public. more concerned with protecting their reputation and that of their employers than protecting users. If such conduct violates federal law, it will be prosecuted."
Uber did not publicly disclose the incident or notify the FTC until a new chief executive, Dara Khosrowshahi, joined the company in 2017. Since then, Uber has paid $148 million to settle a case brought by 50 US states and the District of Columbia. for trying to cover the breach. He was also slapped with fines by UK and Dutch data protection authorities totaling nearly $1.2 million; the breach affected 82,000 UK-based drivers and 174,000 Dutch citizens.
A sentencing date has not yet been set, but Sullivan faces a maximum of five years in prison for obstruction of justice and up to three years for failing to report the crime, according to the DOJ.
Sullivan's sentencing announcement comes just weeks after Uber confirmed a recent breach that saw hackers break into the company's network and gain access to systems that store vast amounts customer data. Uber later revealed that the Lapsus$-affiliated hacker stole internal information and Slack messages, but said no sensitive information, like credit card data and ride history, was taken .
Former Uber security chief convicted of criminal obstruction for trying to cover up a data breach that resulted in the theft of tens of millions of customer records and drivers.
A federal jury in San Francisco has found Joseph Sullivan, the former chief security officer (CSO) of Uber, guilty of obstructing justice and concealing knowledge that a federal crime had been committed. confirmed Wednesday the Ministry of Justice.
The case relates to a 2016 breach of Uber's systems that exposed the data of 50 million customers and seven million drivers, including names, email addresses, phone numbers and approximately 600,000 Driver's license numbers for US drivers were also included in the violation. .
The data breach happened just months after Sullivan was hired by Uber to help the company bolster its cybersecurity after a small breach in 2014 saw hackers access the personal information of about 50 000 consumers.
After learning of the 2016 breach, Sullivan launched a scheme to hide it from the public and the Federal Trade Commission (FTC), which was investigating the 2014 breach, prosecutors say.
Sullivan, who is now Cloudflare's CSO, told a subordinate that information about the breach should be "tightly controlled" and that the story outside of the security group should be that "this investigation does not exist. not". He also arranged to pay hackers $100,000 under the guise of a bug bounty program in exchange for signing nondisclosure agreements promising not to reveal the hack.
Uber fired Sullivan in 2017, and in 2020 federal prosecutors charged him with one count of obstruction and one count of error in a felony. His trial is believed to be the first time a corporate executive has faced criminal charges for hacking.
“Tech companies in the Northern District of California collect and store vast amounts of user data,” said U.S. Attorney Hinds. "We expect these companies to protect this data and alert customers and appropriate authorities when this data is stolen by hackers. We will not tolerate company executives withholding important information from the public. more concerned with protecting their reputation and that of their employers than protecting users. If such conduct violates federal law, it will be prosecuted."
Uber did not publicly disclose the incident or notify the FTC until a new chief executive, Dara Khosrowshahi, joined the company in 2017. Since then, Uber has paid $148 million to settle a case brought by 50 US states and the District of Columbia. for trying to cover the breach. He was also slapped with fines by UK and Dutch data protection authorities totaling nearly $1.2 million; the breach affected 82,000 UK-based drivers and 174,000 Dutch citizens.
A sentencing date has not yet been set, but Sullivan faces a maximum of five years in prison for obstruction of justice and up to three years for failing to report the crime, according to the DOJ.
Sullivan's sentencing announcement comes just weeks after Uber confirmed a recent breach that saw hackers break into the company's network and gain access to systems that store vast amounts customer data. Uber later revealed that the Lapsus$-affiliated hacker stole internal information and Slack messages, but said no sensitive information, like credit card data and ride history, was taken .
What's Your Reaction?
