Ex-Uber CSO convicted of cover-up in 2016 data breach

Share post:

Former Uber Technologies chief security officer (CSO) Joe Sullivan has been convicted by a jury of hiding a 2016 data breach from the U.S. Federal Trade Commission.

Bloomberg News reported the San Francisco jury rejected his defence that other executives knew about the coverup and were responsible, convicting him of obstructing a government investigation and concealing the theft of personal data of 50 million customers and 7 million drivers. That included over 800,000 Canadians.

Sullivan was accused of quietly arranging for Uber to pay the hackers US$100,000 in Bitcoin to delete the stolen data, under the guise of a program used to reward security researchers for identifying vulnerabilities, known as a “bug bounty,”  the news report said. In return, the two hackers agreed not to disclose that they had stolen the data. The hackers later pleaded guilty for their role in the incident.

The October 2016 hack stayed secret until November, 2017 when it was disclosed by the new chief executive officer (CEO), Dara Khosrowshahi.

The prosecution noted that Sullivan emailed Uber’s then-CEO about that hack 12 hours after it was discovered.

The incident has been hanging over Uber ever since. In 2018 it paid a $148 million in a civil settlement to all 50 states and Washington D.C. for the coverup.

Separately, in July Uber entered a non-prosecution agreement with federal prosecutors to resolve a criminal investigation that the ride-sharing company deceived consumers about its privacy and data security practices.

Sullivan will be sentenced for Wednesday’s conviction at a future date.

In a commentary, David Lindner, CISO at Contrast Security, said the entire situation is extremely unfortunate for Uber and the broader legal/security communities. “What Uber did was cover up a breach through means of hiding it as a bug bounty submission,” he said in a statement. “The conviction of the security chief is a good start but for what was disclosed there should be even more accountability of the executives and even board members.

“Transparency is the only path forward for organizations. Transparency of breaches, transparency of known vulnerabilities, and transparency of the components used to build their software. Uber failed in being transparent and it has resulted in not only a fine but in the conviction of a human behind the decisions. We will see more of this if we don’t move to transparency fast.”

The post Ex-Uber CSO convicted of cover-up in 2016 data breach first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, March 29, 2024 – PyPI repository shuts to stop malicious uploads, a plea to developers to stop creating apps with SQL...

This episode reports on a US$10 million reward for a ransomware gang, a new Linux version of a backdoor

Cyber Security Today, March 27, 2024 – A botnet exploits old routers, a new malware loader discovered, and more warnings about downloading code from...

This episode reports on a new network of 40,000 infected small and home office routers and other devices that are part of a criminal botnet

Cyber Security Today, March 25, 2024 – A suspected China threat actor going after unpatched F5 and ScreenConnet installations

This episode reports on a new campaign stealing email passwords ,the latest data breaches

A hacker’s view of the civic infrastructure: Hashtag Trending, the Weekend Edition for March 23rd, 2024

What does the civic infrastructure look like through the eyes of a hacker? The legendary general Sun Tzu in the Art of War said that in order to defeat your enemy, you must first understand your enemy. How do you do this? He said, “to know your enemy, you must become your enemy.” If we

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways