Former Uber Security Chief Found Guilty of Data Breach Coverup

The Uber breach

A US federal court jury has found Uber’s former security chief Joseph Sullivan guilty of failing to disclose a 2016 breach of customer and executive data to regulators and attempting to cover up the incident.

Sullivan has been convicted of two counts: One of obstruction of justice by failing to report the incident and another of malpractice. He faces a maximum of five years in prison for the obstruction charge and a maximum of three years for the latter.

“Technology companies in the Northern District of California collect and store large amounts of user data,” US Attorney Stephanie M. Hinds said in a press release.

“We expect those companies to protect that data and alert customers and relevant authorities when such data is stolen by hackers. Sullivan worked proactively to conceal the data breach from the Federal Trade Commission and took steps to prevent catching hackers.”

Uber’s 2016 breach occurred as a result of two hackers gaining unauthorized access to the company’s database backups, prompting the ride-hailing firm to secretly pay a $100,000 ransom in December 2016 in exchange for deletion of stolen information.

Cyber ​​security

Uber also forced the extortionists to sign a non-disclosure agreement in an attempt to pass off the breach as a reward for the bugs. The bookings contained data belonging to 50 million Uber drivers and seven million drivers.

Complicating matters further, the incident occurred when the US Department of Justice and the Federal Trade Commission (FTC) were already investigating the company for another data breach that occurred on May 13, 2014.

In February 2015, Uber discovered that one of its databases had been improperly accessed following a possible compromise of one of its encryption keys, resulting in the exposure of the names and license numbers of approximately 50,000 drivers. The incident was discovered on September 14, 2016.

“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s remarkably similar breach in in 2014,” the FTC noted in 2018.

The DoJ said Sullivan played a crucial role in shaping Uber’s response to the FTC regarding the 2014 breach, with the defendant testifying under oath on Nov. 4, 2016, about the number of steps he alleged the company had taken to ensure user data.

But after learning that Uber had been compromised again, just ten days after his testimony to the FTC, the agency said that “Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC” rather than deciding to disclose to it. the issue of the authorities and its users.

Federal prosecutors also accused Sullivan of lying to Uber Chief Executive Dara Khosrowshahi as well as the company’s outside lawyers investigating the 2016 incident, saying “the truth about the breach” finally came to light in November 2017.

Additionally, Travis Kalanick, the co-founder and then CEO of Uber, who resigned from the company in June 2017, is said to have endorsed Sullivan’s strategy for dealing with unauthorized intrusion. Kalanick has not been charged.

In a statement shared with The New York Times, Sullivan’s legal team said his sole focus throughout the incident and his professional career has been to ensure “the security of people’s personal data online.”

Cyber ​​security

The development, which marks the first time a senior company executive has faced criminal charges over a data breach, comes as two hackers involved in the 2016 incident await sentencing on fraud conspiracy charges after pleaded guilty to the crime in October 2019.

“Separate guilty pleas filed by the hackers show that after Sullivan helped cover up the Uber hack, the hackers were able to conduct an additional intrusion into another corporate entity — Lynda.com — and attempt to extort that data as well. .” emphasized the DD.

Despite the fact that security lapses in 2014 and 2016 mirrored each other, Uber was thrust into the spotlight last month for the wrong reasons when its systems were breached for the third time in a hack it has since linked with cybercrime group LAPSUS$.

Last July, Uber also settled with the Department of Justice to pay $148 million and agreed to “implement a corporate integrity program, specific data security safeguards and incident response and breach notification plans.” data, together with biennial assessments”.

“The message in today’s guilty verdict is clear: companies that store their customers’ data have a responsibility to protect that data and to do the right thing when breaches occur,” said FBI Special Agent in San Francisco Robert K .Tripp.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *