Former Uber security chief convicted on charges of covering up a hack in 2016
Former Uber chief security officer Joe Sullivan has been found guilty of charges that he covered up a 2016 cyberattack where a hacker downloaded the personal information of more than 57 million people. The information stolen from Uber included names, email addresses, and phone numbers for more than 50 million Uber riders and 7 million drivers, as well as driver’s license numbers for another 600,000 drivers.
As reported by the New York Times and Washington Post, the jury convicted Sullivan on two counts: one for obstructing justice by not revealing the breach to the FTC and another for misprision, which is concealing a felony from the authorities.
This is believed to be the first time a company executive faced criminal prosecution over a hack.
He’d faced three counts of wire fraud, but prosecutors dismissed those charges in August. Sullivan had served as a security executive at other companies, including Facebook and Cloudflare, and, as the Post points out, in this case, he was pitted against the same San Francisco US attorney’s office where he had previously worked prosecuting cybercrimes.
The hack itself was described by the prosecution in their original complaint (PDF), noting that it almost exactly mirrored a 2014 breach of Uber that, at the time of the incident, the FTC was already investigating the company over. As the trial began in September, Uber’s systems were breached again in a hack linked to an alleged former member of the Lapsus$ ransomware group, forcing it to temporarily take some internal systems offline.
The 2016 breach occurred when two outsiders trawling Github found credentials giving them access to Uber’s Amazon Web Services (AWS) storage, which they used to download its database backups. The hackers then contacted Uber and negotiated a ransom payment in exchange for a promise to delete the stolen information, paid out in $100,000 worth of Bitcoin, and treated as part of the company’s Bug Bounty program. They eventually pleaded guilty to hacking the company in 2019.
Uber’s new CEO testified he “could not trust” his chief security officer.
As the Times notes, this is believed to be the first time a company executive faced criminal prosecution over a…