Former Uber Security Chief Convicted for Covering Up 2016 Data Breach

The former chief safety officer for Uber was convicted Wednesday of attempting to cowl up a 2016 information breach wherein hackers accessed tens of tens of millions of buyer information from the ride-hailing service.

A federal jury in San Francisco convicted Joseph Sullivan of obstructing justice and concealing data {that a} federal felony had been dedicated, federal prosecutors mentioned.

Sullivan stays free on bond pending sentencing and will face a complete of eight years in jail on the 2 fees when he’s sentenced, prosecutors mentioned.

“Technology companies in the Northern District of California collect and store vast amounts of data from users,” US Attorney Stephanie M. Hinds mentioned in a press release. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”

It was believed to be the primary felony prosecution of an organization government over a knowledge breach.

A lawyer for Sullivan, David Angeli, took concern with the decision.

“Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” Angeli instructed the New York Times.

An e-mail to Uber in search of touch upon the conviction wasn’t instantly returned.

Sullivan was employed as Uber’s chief safety officer in 2015. In November 2016, Sullivan was emailed by hackers, and workers rapidly confirmed that they’d stolen information on about 57 million customers and likewise 600,000 driver’s license numbers, prosecutors mentioned.

After studying of the breach, Sullivan started a scheme to cover it from the general public and the Federal Trade Commission, which had been investigating a smaller 2014 hack, authorities mentioned.

According to the US lawyer’s workplace, Sullivan instructed subordinates that “the story exterior of the safety group was to be that ‘this investigation doesn’t exist,'” and arranged to pay the hackers $100,000 (roughly Rs. 82 lakh) in bitcoin in exchange for them signing non-disclosure agreements promising not to reveal the hack. He also never mentioned the breach to Uber lawyers who were involved with the FTC’s inquiry, prosecutors said.

“Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber,” the US lawyer’s workplace mentioned.

Uber’s new administration started investigating the breach within the fall of 2017. Despite Sullivan mendacity to the brand new chief government officer and others, the reality was uncovered and the breach was made public, prosecutors mentioned.

Sullivan was fired together with Craig Clark, an Uber lawyer he had instructed concerning the breach. Clark was given immunity by prosecutors and testified towards Sullivan.

No different Uber executives had been charged within the case.

The hackers pleaded responsible in 2019 to pc fraud conspiracy fees and are awaiting sentencing.

Sullivan was convicted of of obstruction of proceedings of the Federal Trade Commission and misprision of felony, that means concealing data of a felony from authorities.

Meanwhile, some consultants have questioned how a lot cybersecurity has improved at Uber because the breach.

The firm introduced final month that every one its providers had been operational following what safety professionals referred to as a serious information breach, claiming there was no proof the hacker received entry to delicate person information.

The lone hacker apparently gained entry posing as a colleague, tricking an Uber worker into surrendering their credentials. Screenshots the hacker shared with safety researchers point out they obtained full entry to the cloud-based methods the place Uber shops delicate buyer and monetary information.

It just isn’t identified how a lot information the hacker stole or how lengthy they had been inside Uber’s community. There was no indication they destroyed information.