Joe Sullivan, Uber’s former chief security officer and current CSO at Cloudflare, was found guilty of illegally concealing the theft of personal data from Uber drivers and customers in a 2016 data breach.
Sullivan, a former US Department of Justice cybercrime prosecutor, was found guilty of obstructing the Federal Trade Commission’s FTC investigation and committing a crime in connection with an attempt to cover up the Uber breach and to pay a bounty to the hackers.
On November 21, 2017, Uber CEO Dara Khosrowshahi released a statement admitting that perpetrators broke into Uber and stole 57 million customer and driver records in late 2016, prompting Sullivan and Craig Clark, the legal director of security and law enforcement, to be fired.
According to court documents, Sullivan discovered the theft in November 2016, about ten days after he testified under oath to the FTC about Uber’s security practices.
When hackers Brandon Charles Glover and Vasile Mereacre contacted him to tell him they had stolen data from Uber and demanded a ransom to delete the stolen data, he failed to report it to authorities.
Instead of reporting the breach, Sullivan devised a plan to keep it secret and pay Glover and Mereacre $100,000, under the pretext of a legitimate bug bounty reward in exchange for signing non-disclosure agreements on the attack. Sullivan also took steps to prevent the arrest of the hackers.
Sullivan’s attorney, David Angeli, argued that Sullivan disclosed the breach to Khosrowshahi almost immediately and even explained his actions.
The sources for this piece include an article in TheRegister.