Home>Blog>The Hacker News Headlines>Former Uber Security Chief Found Guilty of Data Breach Coverup
The Hacker News Headlines

Former Uber Security Chief Found Guilty of Data Breach Coverup

Uber Breach

A U.S. federal court jury has found former Uber Chief Security
Officer Joseph Sullivan guilty of not disclosing a 2016
breach of customer and driver records to regulators and attempting
to cover up the incident.

Sullivan has been convicted on two counts: One for obstructing
justice by not reporting the incident and another for misprision.
He faces a maximum of five years in prison for the obstruction
charge, and a maximum of three years for the latter.

“Technology companies in the Northern District of California
collect and store vast amounts of data from users,” U.S. Attorney
Stephanie M. Hinds said[1]
in a press statement.

“We expect those companies to protect that data and to alert
customers and appropriate authorities when such data is stolen by
hackers. Sullivan affirmatively worked to hide the data breach from
the Federal Trade Commission and took steps to prevent the hackers
from being caught.”

The 2016 hack of Uber occurred as a result of two hackers
gaining unauthorized access to the company’s database backups,
prompting the ride-hailing firm to secretly pay a $100,000 ransom
in December 2016 in exchange for deleting the stolen
information.

CyberSecurity

Uber also had the extortionists sign a non-disclosure agreement
in an attempt to pass-off the break-in as a bug bounty reward. The
backups contained data belonging to 50 million Uber riders and 7
million drivers.

Complicating things further, the incident occurred when the U.S.
Justice Department and the Federal Trade Commission (FTC) were
already probing the company for another data breach that took place
on May 13, 2014.

In February 2015, Uber revealed[2]
that one of its databases had been improperly accessed following a
potential compromise of one of the encryption keys, resulting in
the exposure of names and license numbers of about 50,000 drivers.
The incident was discovered on September 14, 2016.

“After misleading consumers about its privacy and security
practices, Uber compounded its misconduct by failing to inform the
Commission that it suffered another data breach in 2016 while the
Commission was investigating the company’s strikingly similar 2014
breach,” the FTC noted[3]
in 2018.

The DoJ said that Sullivan played a crucial role in shaping
Uber’s response to FTC regarding the 2014 breach, with the
defendant testifying under oath on November 4, 2016, about the
number of steps that he claimed the company had taken to secure
user data.

But upon learning that Uber was compromised again, that too
merely ten days after his FTC testimony, the agency said “Sullivan
executed a scheme to prevent any knowledge of the breach from
reaching the FTC” instead of opting to divulge the matter to the
authorities and its users.

Federal prosecutors also accused Sullivan of lying to Uber’s
chief executive Dara Khosrowshahi as well as the company’s outside
lawyers investigating the 2016 incident, stating the “truth about
the breach” finally came to light in November 2017[4].

What’s more, Travis Kalanick, Uber’s co-founder and then CEO,
who resigned[5]
from the company in June 2017, is said to have approved[6]
Sullivan’s strategy for handling the unauthorized intrusion.
Kalanick has not been charged.

In a statement shared with The New York Times, Sullivan’s legal
team said[7]
his only focus during the course of the incident and his
professional career has been to ensure the “safety of people’s
personal data on the internet.”

CyberSecurity

The development, which marks the first time a senior company
executive has faced criminal charges over a data breach, comes as
the two hackers involved in the 2016 incident await sentencing for
their fraud conspiracy charges[8] after pleading to the
crime in October 2019.

“The separate guilty pleas entered by the hackers demonstrate
that after Sullivan assisted in covering up the hack of Uber, the
hackers were able to commit an additional intrusion at another
corporate entity — Lynda.com — and attempt to ransom that data as
well,” the DoJ pointed out.

The fact that the 2014 and 2016 security lapses mirrored each
other notwithstanding, Uber came under spotlight last month for the
wrong reasons when its systems were breached a third time[9]
in a hack that it has since linked to the LAPSUS$ cybercrime group[10].

This past July, Uber also settled[11] with the DoJ to pay
$148 million and agreed to “implement a corporate integrity
program, specific data security safeguards, and incident response
and data breach notification plans, along with biennial
assessments.”

“The message in today’s guilty verdict is clear: companies
storing their customers’ data have a responsibility to protect that
data and do the right thing when breaches occur,” FBI San Francisco
Special Agent in Charge Robert K. Tripp said.

References

  1. ^
    said
    (www.justice.gov)
  2. ^
    revealed
    (www.latimes.com)
  3. ^
    noted
    (www.ftc.gov)
  4. ^
    November
    2017     (thehackernews.com)
  5. ^
    resigned
    (www.nytimes.com)
  6. ^
    approved
    (www.washingtonpost.com)
  7. ^
    said
    (www.nytimes.com)
  8. ^
    fraud
    conspiracy charges     (www.courthousenews.com)
  9. ^
    breached
    a third time     (thehackernews.com)
  10. ^
    LAPSUS$ cybercrime group
    (thehackernews.com)
  11. ^
    settled
    (www.justice.gov)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.