A U.S. federal court jury found former Uber Chief Security Officer Joseph Sullivan guilty of failing to disclose a customer data breach and 2016 drivers to regulators and attempting to hide the accident.
What, then, is the former head of IT security at Uber risking?
Sullivan was convicted of two counts: firstly for obstructing justice by not reporting the incident and secondly for complicity in crime.
He risks up to a maximum of five years of imprisonment for the accusation of obstruction of justice (the first) and a maximum of three years for the second.
“Technology companies in the Northern District of California collect and store large amounts of data from users“, has said American prosecutor Stephanie M. Hinds in a press release.
And he adds. “We expect companies to protect that data and notify customers and relevant authorities when such data is stolen by hackers. Sullivan worked hard to hide the data breach from the Federal Trade Commission and took steps to prevent hackers from being caught“.
How did it all start then?
Uber’s hack in 2016 occurred following unauthorized access to the company’s database backups by two hackers, prompting the company to secretly pay a $ 100,000 ransom in December 2016 in exchange for deletion. stolen information (basically something like ransomware).
Uber also asked the extortionists to sign a nondisclosure agreement in an attempt to pass the raid as a reward for the bug. The backups contained data belonging to 50 million Uber users and 7 million drivers.
To complicate matters further, the incident occurred when the United States Department of Justice and the Federal Trade Commission (FTC) were already investigating the company for another data breach that occurred on May 13, 2014.
In February 2015, the company of drivers revealed that an unidentified anomalous access was made to one of its databases following a potential compromise of one of the cryptographic keys, resulting in the exposure of the names and license numbers of approximately 50,000 drivers.
The incident, however, was only discovered the following year: exactly on September 14, 2016.
“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by not informing the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s surprisingly similar 2014 breach.“, has pointed out the FTC in 2018.
The DoJ (department of justice of the united states, Departement of Justice) said Sullivan played a crucial role in shaping Uber’s response to the FTC regarding the 2014 breach, with the defendant testifying under oath on November 4, 2016, on the number of passages he claimed that the company had undertaken to protect user data (de facto protection Not occurred).
But after realizing that Uber had been compromised again, just ten days after his FTC testimony, the agency said that “Sullivan plotted to prevent this breach from reaching the FTC“Instead of choosing to disclose the matter to the relevant authorities.
Federal prosecutors also accused Sullivan of lying to Uber chief executive Dara Khosrowshahi and the company’s outside lawyers investigating the 2016 incident, saying the “truth about the violation” is finally came to light in November 2017.
As if that weren’t enough, Travis Kalanick, co-founder and then CEO of Uber, who himself is resigned from the company in June 2017it would have approved Sullivan’s strategy for dealing with unauthorized intrusion. Kalanick, however, was not charged.
In a statement published by the New York Times, Sullivan’s legal team stated that his only goal during the incident and his professional career was to ensure the “security of people’s personal data on the Internet”.
How did it end?
The development, which marks the first time a senior company executive has faced criminal charges for a data breach, comes as the two hackers involved in the 2016 incident await sentencing on their fraud conspiracy charges after they confessed to the crime in October 2019.
“Separate guilty pleadings filed by hackers prove that after Sullivan helped cover up Uber hacking, hackers are [successivamente] were able to commit a further intrusion into another company – Lynda.com – and attempt to redeem that data as well“Stressed the DoJ.
Despite the fact that the security breaches of 2014 and 2016 are only now surfacing, Uber was put in the spotlight last month for when its systems have been breached for the third time in a hack that has since linked the group of LAPSUS $ cybercrime.
Last July, Uber also agreed with the DoJ to pay $ 148 million and agreed to “implement a business integrity program, specific security measures for data security, and incident response and data breach notification plans, along with biennial assessments“.
“The message in today’s guilty verdict is clear: companies that store their customer data have a responsibility to protect that data and do the right thing when breaches occur.Said San Francisco FBI Special Agent Robert K. Tripp.
#Uber #security #chief #accused #covering #data #breach