Joseph Sullivan, formerly Uber’s security chief, has been convicted on federal charges for concealing a 2016 data breach from authorities. Corresponding The New York Times, a jury in a federal court in San Francisco found Sullivan guilty of obstructing the FTC’s ongoing investigation into Uber at the time for another violation in 2014. He was also found guilty of actively hiding a crime from authorities. Sullivan’s case, believed to be the first time an executive has been prosecuted for a hack, revolves around how the former executive dealt with the bad actors who infiltrated Uber’s Amazon server and demanded $100,000 from the company .
The hackers contacted Uber shortly after Sullivan testified at the FTC regarding the investigation into the 2014 cybersecurity incident. They told him they found a vulnerability that allowed them to download the personal data of 600,000 drivers and additional information on 57 million drivers and passengers. As The Washington Post It was later reported that the hackers found a digital key that they used to get into Uber’s Amazon account. There they found an unencrypted backup collection of personal data of passengers and drivers.
Sullivan pointed them to the company’s bug bounty program, which had a maximum payout of $10,000. However, the hackers wanted at least $100,000 and threatened to release the stolen data if Uber didn’t pay. The former security chief paid them the requested amount in bitcoin, making it appear they had been paid under the bug bounty program — a move reportedly sanctioned by then-Uber boss Travis Kalanick. He also tracked them down and had them sign non-disclosure agreements.
The former executive’s camp argued that Sullivan felt Uber’s user data was protected after the hackers signed a non-disclosure agreement. “Mr. Sullivan believed his customers’ data was secure and that this was not a reportable incident. There was no cover-up and no obstruction,” his attorney David Angeli said. However, prosecutors disagreed and viewed his use of NDAs as a way to cover up the incident. Additionally, they stressed that the incident shouldn’t qualify for a payout under the bug bounty program designed to reward friendly security researchers, as the bad actors threatened to release users’ personal information if they weren’t paid the amount that they wanted.
In the end, the jury agreed with prosecutors that Sullivan should have notified the FTC of the data breach. It was not until Dara Khosrowshahi took over as CEO that the FTC was informed of the event. A verdict has not yet been reached, but Sullivan now faces five years in prison for disability and up to three more years for failing to report a crime.
All products recommended by Engadget are selected by our editorial team, independently of our parent company. Some of our stories contain affiliate links. If you buy something through one of these links, we may receive an affiliate commission. All prices are correct at time of publication.
https://www.engadget.com/uber-ex-security-chief-guilty-covering-up-data-breach-2016-033831194.html?src=rss Uber’s ex-security chief was found guilty of covering up a major data breach in 2016