Former Uber Security Chief Convicted for Covering Up 2016 Data Breach

The former chief safety officer for Uber was convicted Wednesday of attempting to cowl up a 2016 information breach through which hackers accessed tens of tens of millions of buyer information from the ride-hailing service.

A federal jury in San Francisco convicted Joseph Sullivan of obstructing justice and concealing data {that a} federal felony had been dedicated, federal prosecutors stated.

Sullivan stays free on bond pending sentencing and will face a complete of eight years in jail on the 2 fees when he’s sentenced, prosecutors stated.

“Technology companies in the Northern District of California collect and store vast amounts of data from users,” US Attorney Stephanie M. Hinds stated in a press release. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”

It was believed to be the primary legal prosecution of an organization govt over an information breach.

A lawyer for Sullivan, David Angeli, took situation with the decision.

“Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” Angeli advised the New York Times.

An e-mail to Uber looking for touch upon the conviction wasn’t instantly returned.

Sullivan was employed as Uber’s chief safety officer in 2015. In November 2016, Sullivan was emailed by hackers, and workers shortly confirmed that they’d stolen information on about 57 million customers and likewise 600,000 driver’s license numbers, prosecutors stated.

After studying of the breach, Sullivan started a scheme to cover it from the general public and the Federal Trade Commission, which had been investigating a smaller 2014 hack, authorities stated.

According to the US lawyer’s workplace, Sullivan advised subordinates that “the story outdoors of the safety group was to be that ‘this investigation doesn’t exist,'” and arranged to pay the hackers $100,000 (roughly Rs. 82 lakh) in bitcoin in exchange for them signing non-disclosure agreements promising not to reveal the hack. He also never mentioned the breach to Uber lawyers who were involved with the FTC’s inquiry, prosecutors said.

“Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber,” the US lawyer’s workplace stated.

Uber’s new administration started investigating the breach within the fall of 2017. Despite Sullivan mendacity to the brand new chief govt officer and others, the reality was uncovered and the breach was made public, prosecutors stated.

Sullivan was fired together with Craig Clark, an Uber lawyer he had advised in regards to the breach. Clark was given immunity by prosecutors and testified towards Sullivan.

No different Uber executives had been charged within the case.

The hackers pleaded responsible in 2019 to laptop fraud conspiracy fees and are awaiting sentencing.

Sullivan was convicted of of obstruction of proceedings of the Federal Trade Commission and misprision of felony, that means concealing data of a felony from authorities.

Meanwhile, some consultants have questioned how a lot cybersecurity has improved at Uber because the breach.

The firm introduced final month that each one its companies had been operational following what safety professionals referred to as a serious information breach, claiming there was no proof the hacker bought entry to delicate person information.

The lone hacker apparently gained entry posing as a colleague, tricking an Uber worker into surrendering their credentials. Screenshots the hacker shared with safety researchers point out they obtained full entry to the cloud-based techniques the place Uber shops delicate buyer and monetary information.

It will not be recognized how a lot information the hacker stole or how lengthy they had been inside Uber’s community. There was no indication they destroyed information.