Former head of security at Uber found guilty of covering up data breach

Former head of security at Uber found guilty of covering up data breach

Uber breach

A US federal court jury has found former Uber Chief Security Officer Joseph Sullivan guilty of failing to disclose a 2016 breach of customer and driver records to regulators and attempting to cover up the incident.

Sullivan is convicted on two counts: One for obstruction of justice by failing to report the incident and another for false imprisonment. He faces a maximum of five years in prison for the obstruction charge, and a maximum of three years for the latter.

“Technology companies in the Northern District of California collect and store vast amounts of user data,” U.S. Attorney Stephanie M. Hinds said in a press release.

“We expect these companies to protect this data and notify customers and relevant authorities when such data is stolen by hackers. Sullivan affirmatively worked to conceal the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught.”

The 2016 Uber breach occurred as a result of two hackers gaining unauthorized access to the company’s database backups, prompting the company to secretly pay a $100,000 ransom in December 2016 in exchange for deleting the stolen information.

Cyber ​​security

Uber also made the extortionists sign a non-disclosure agreement in an attempt to undo the hack as a reward for bugs. The backups contained data belonging to 50 million Uber riders and seven million drivers.

To further complicate matters, the incident occurred when the US Department of Justice and the Federal Trade Commission (FTC) were already investigating the company for another data breach that took place on May 13, 2014.

In February 2015, Uber disclosed that one of its databases had been improperly accessed following a potential compromise of one of its encryption keys, resulting in the exposure of the names and license numbers of around 50,000 drivers. The incident was discovered on 14 September 2016.

See also  Ledger partners with iPhone Co-creator to launch brand new 'Stax' crypto wallet

“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar breach in 2014,” the FTC noted in 2018.

The DoJ said Sullivan played a crucial role in shaping Uber’s response to the FTC regarding the 2014 breach, in which the defendant testified under oath on Nov. 4, 2016, about the number of steps he claimed the company had taken to secure user data.

But when the agency learned that Uber was compromised again, also just 10 days after his FTC testimony, the agency said that “Sullivan executed a plan to prevent knowledge of the breach from reaching the FTC” instead of choosing to disclose the matter to authorities and its users.

Federal prosecutors also accused Sullivan of lying to Uber CEO Dara Khosrowshahi, as well as the company’s outside lawyers who investigated the incident in 2016, saying the “truth about the breach” finally emerged in November 2017.

Also, Travis Kalanick, Uber’s co-founder and then-CEO, who resigned from the company in June 2017, reportedly approved of Sullivan’s strategy for handling the unauthorized intrusion. Kalanick has not been charged.

In a statement shared with The New York Times, Sullivan’s legal team said his sole focus during the incident and his professional career has been to ensure “the security of people’s personal data on the Internet.”

Cyber ​​security

The development, which marks the first time a senior company executive has been charged over a data breach, comes as the two hackers involved in the 2016 incident await sentencing on conspiracy to defraud charges after pleading guilty to the crime in October 2019.

See also  5 threats to the security of your company's mobile devices and how you can prevent them

“The separate pleas filed by the hackers show that after Sullivan helped cover up the hack of Uber, the hackers were able to commit additional intrusions at another corporate entity — Lynda.com — and attempt to compromise that data as well ,” the DoJ pointed out.

Despite the fact that the 2014 and 2016 security breaches mirrored each other, Uber came under the spotlight last month for the wrong reasons when its systems were breached a third time in a hack it has since linked to the LAPSUS$ cybercrime group.

Last July, Uber also settled with the DoJ to pay $148 million and agreed to “implement a corporate integrity program, specific data security measures and incident and data breach response plans, along with biennial reviews.”

“The message in today’s guilty verdict is clear: companies that store their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” said FBI San Francisco Special Agent in Charge Robert K. Tripp.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *