Tag Archive for: chief

Uber’s former security chief convicted of data hack coverup

/in


Uber Technologies Inc.’s former security chief was convicted of concealing a massive data breach in a case that prosecutors tied to the company’s troubled past under its original leadership.

Joe Sullivan was found guilty in federal court in San Francisco on Wednesday by a jury that rejected his claim that other executives at the ride-hailing giant were aware of the 2016 hack and were responsible for it not being disclosed to regulators for more than a year.

The trial featured almost four weeks of testimony that explored cybersecurity management as well as a shakeup at Uber in 2017 when a series of scandals drove co-founder Travis Kalanick out as chief executive.

Sullivan was convicted of both charges against him, obstructing a government investigation and concealing the theft of personal data of 50 million customers and 7 million drivers.

Sullivan, a former federal prosecutor who previously headed security for Facebook, is well known for his expertise in the field in Silicon Valley. He faces as much as eight years in prison, though his sentence probably will be far less.

“While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case. Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” said David Angeli, a lawyer for Sullivan. “We will evaluate next steps in the coming days.”

Companies are required under state and federal laws to promptly disclose data breaches. Uber’s mishandling of the 2016 attack on its servers resulted in the company paying $148 million in a settlement with all 50 states, which at the time was the biggest data-breach payout in U.S. history. Uber had previously been reprimanded by the Federal Trade Commission over a similar data breach in 2014.

Sullivan was accused of actively covering up the hack.

Prosecutors alleged that he quietly arranged for the company to pay the hackers $100,000 in bitcoin to delete the stolen data under the guise of a program used to reward security researchers for identifying vulnerabilities, known as a “bug bounty.” In return, the two hackers agreed not to…

Source…

Ex-Uber chief security officer convicted of covering up data breach

/in


SAN FRANCISCO – The ex-chief security officer of Uber Technologies Inc. has been convicted of covering up a 2016 data breach involving 57 million of the San Francisco-based ride-hailing company’s users, according to the U.S. Attorney’s Office.

A jury on Wednesday found Joseph Sullivan guilty of obstruction of justice and misprision of felony, or having knowledge that a federal felony was committed and taking steps to conceal that crime, prosecutors said in a statement. He faces up to five years for the obstruction charge and up to three years for the misprision charge.

According to the U.S. Attorney’s Office, Sullivan was hired as Uber’s chief security officer in April 2015. The company at the time had recently disclosed to the Federal Trade Commission that it had been the victim of a data breach in 2014. The breach related to the unauthorized access of 50,000 customers’ personal information.

The FTC subsequently opened an investigation into Uber’s data security program and practices. In May 2015, a month after Sullivan was hired, the FTC served the company with a demand for information about any other instances of unauthorized access to user personal information as well as information regarding its broader data security program and practices.

Prosecutors said Sullivan played a key role in Uber’s response to the FTC – he supervised its responses to the FTC, participated in a presentation to the FTC in March 2016 and testified under oath on Nov. 6, 2016, regarding the company’s practices.

Ten days after he testified, Sullivan learned that Uber had been hacked again. The hackers reached out to Sullivan directly via email on Nov. 14, 2016, and informed him and others at the company that they had stolen user data, according to the U.S. Attorney’s Office. The hackers also reportedly demanded a ransom to delete that data.

All told, the breach involved 57 million Uber users and 600,000 driver’s license numbers.

Prosecutors said Sullivan did not report the new data breach to the FTC, other authorities or users; he instead arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which they promised not to reveal the hack to anyone….

Source…

Ex-Uber chief security officer found guilty of covering up 2016 data breach

/in


SAN FRANCISCO – The ex-chief security officer of Uber Technologies Inc. has been convicted of covering up a 2016 data breach involving 57 million of the San Francisco-based ride-hailing company’s users, according to the U.S. Attorney’s Office.

A jury on Wednesday found Joseph Sullivan guilty of obstruction of justice and misprision of felony, or having knowledge that a federal felony was committed and taking steps to conceal that crime, prosecutors said in a statement. He faces up to five years for the obstruction charge and up to three years for the misprision charge.

According to the U.S. Attorney’s Office, Sullivan was hired as Uber’s chief security officer in April 2015. The company at the time had recently disclosed to the Federal Trade Commission that it had been the victim of a data breach in 2014. The breach related to the unauthorized access of 50,000 customers’ personal information.

The FTC subsequently opened an investigation into Uber’s data security program and practices. In May 2015, a month after Sullivan was hired, the federal agency served the company with a demand for information about any other instances of unauthorized access to user personal information, as well as information regarding its broader data security program and practices.

Prosecutors said Sullivan played a key role in Uber’s response to the FTC – he supervised its responses to the agency, participated in a presentation to the regulators in March 2016 and testified under oath on Nov. 6, 2016, regarding the company’s practices.

Ten days after he testified, Sullivan learned that Uber had been hacked again. The hackers reached out to Sullivan directly via email on Nov. 14, 2016, and informed him and others at the company that they had stolen user data, according to the U.S. Attorney’s Office. The hackers also reportedly demanded a ransom to delete that data.

All told, the breach involved 57 million Uber users and 600,000 driver license numbers.

Prosecutors said Sullivan did not report the new data breach to the FTC, other authorities or users; he instead arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which they promised not to reveal…

Source…

Uber’s former security chief covered up enormous hack he said ‘did not exist’

/in


Uber Cybersecurity (Copyright 2022 The Associated Press. All rights reserved)

Uber Cybersecurity (Copyright 2022 The Associated Press. All rights reserved)

Uber’s former chief security officer has been found guilty of attempting to cover up a data breach in which hackers accessed tens of millions of customer records.

Joseph Sullivan was convicted of obstructing justice and concealing knowledge that a federal felony had been committed.

Mr Sullivan remains free on bond pending sentencing and could face a total of eight years in prison on the two charges when he is sentenced, prosecutors said.

“Technology companies in the Northern District of California collect and store vast amounts of data from users,” US Attorney Stephanie M. Hinds said in a statement. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”

It was believed to be the first criminal prosecution of a company executive over a data breach.

The lone hacker apparently gained access posing as a colleague, tricking an Uber employee into surrendering their credentials. Screenshots the hacker shared with security researchers indicate they obtained full access to the cloud-based systems where Uber stores sensitive customer and financial data.

It is not known how much data the hacker stole or how long they were inside Uber’s network. There was no indication they destroyed data.

A lawyer for Mr Sullivan, David Angeli, took issue with the verdict. “Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” Angeli told the New York Times.

Uber did not respond to a request for comment.

Mr Sullivan was hired as Uber’s chief security officer in 2015. In November 2016, Sullivan was emailed by hackers, and employees quickly confirmed that they had stolen records on about 57 million users and also 600,000 driver’s license numbers, prosecutors said.

After learning of the breach, Sullivan began a scheme to hide it from the public and the Federal Trade Commission, which had been investigating a smaller 2014 hack, authorities said.

According to…

Source…