Tag: convicted | Page 2

Uber’s former security chief convicted of data hack coverup

October 8, 2022/in Computer Security

Uber Technologies Inc.’s former security chief was convicted of concealing a massive data breach in a case that prosecutors tied to the company’s troubled past under its original leadership.

Joe Sullivan was found guilty in federal court in San Francisco on Wednesday by a jury that rejected his claim that other executives at the ride-hailing giant were aware of the 2016 hack and were responsible for it not being disclosed to regulators for more than a year.

The trial featured almost four weeks of testimony that explored cybersecurity management as well as a shakeup at Uber in 2017 when a series of scandals drove co-founder Travis Kalanick out as chief executive.

Sullivan was convicted of both charges against him, obstructing a government investigation and concealing the theft of personal data of 50 million customers and 7 million drivers.

Sullivan, a former federal prosecutor who previously headed security for Facebook, is well known for his expertise in the field in Silicon Valley. He faces as much as eight years in prison, though his sentence probably will be far less.

“While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case. Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” said David Angeli, a lawyer for Sullivan. “We will evaluate next steps in the coming days.”

Companies are required under state and federal laws to promptly disclose data breaches. Uber’s mishandling of the 2016 attack on its servers resulted in the company paying $148 million in a settlement with all 50 states, which at the time was the biggest data-breach payout in U.S. history. Uber had previously been reprimanded by the Federal Trade Commission over a similar data breach in 2014.

Sullivan was accused of actively covering up the hack.

Prosecutors alleged that he quietly arranged for the company to pay the hackers $100,000 in bitcoin to delete the stolen data under the guise of a program used to reward security researchers for identifying vulnerabilities, known as a “bug bounty.” In return, the two hackers agreed not to…

Source…

Ex-Uber chief security officer convicted of covering up data breach

October 7, 2022/in Computer Security

SAN FRANCISCO – The ex-chief security officer of Uber Technologies Inc. has been convicted of covering up a 2016 data breach involving 57 million of the San Francisco-based ride-hailing company’s users, according to the U.S. Attorney’s Office.

A jury on Wednesday found Joseph Sullivan guilty of obstruction of justice and misprision of felony, or having knowledge that a federal felony was committed and taking steps to conceal that crime, prosecutors said in a statement. He faces up to five years for the obstruction charge and up to three years for the misprision charge.

According to the U.S. Attorney’s Office, Sullivan was hired as Uber’s chief security officer in April 2015. The company at the time had recently disclosed to the Federal Trade Commission that it had been the victim of a data breach in 2014. The breach related to the unauthorized access of 50,000 customers’ personal information.

The FTC subsequently opened an investigation into Uber’s data security program and practices. In May 2015, a month after Sullivan was hired, the FTC served the company with a demand for information about any other instances of unauthorized access to user personal information as well as information regarding its broader data security program and practices.

Prosecutors said Sullivan played a key role in Uber’s response to the FTC – he supervised its responses to the FTC, participated in a presentation to the FTC in March 2016 and testified under oath on Nov. 6, 2016, regarding the company’s practices.

Ten days after he testified, Sullivan learned that Uber had been hacked again. The hackers reached out to Sullivan directly via email on Nov. 14, 2016, and informed him and others at the company that they had stolen user data, according to the U.S. Attorney’s Office. The hackers also reportedly demanded a ransom to delete that data.

All told, the breach involved 57 million Uber users and 600,000 driver’s license numbers.

Prosecutors said Sullivan did not report the new data breach to the FTC, other authorities or users; he instead arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which they promised not to reveal the hack to anyone….

Source…

Ex-Uber security chief convicted of hiding hack from federal regulators

October 6, 2022/in Internet Security

On Wednesday, a jury found former Uber security chief Joe Sullivan guilty of hiding a massive data breach from federal regulators who were already investigating the ride-share company for a different breach. With that verdict, Sullivan has likely become the first executive to be criminally prosecuted over a hack, The New York Times reported.

A jury of six men and six women started deliberating last Friday. After 19 hours, they decided that Sullivan was guilty on one count of obstructing the Federal Trade Commission’s investigation and “one count of misprision, or acting to conceal a felony from authorities,” according to the Times.

Sullivan’s legal team did not immediately provide comment for Ars, but one of his lawyers, David Angeli, told NYT how Sullivan received the verdict. “While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case,” Angeli told the paper. “Mr. Sullivan’s sole focus—in this incident and throughout his distinguished career—has been ensuring the safety of people’s personal data on the Internet.”

When Sullivan first learned of the second data breach, he disguised the illegal activity by paying the hackers through Uber’s bug bounty program. Uber had just announced the program in March 2016 in coordination with HackerOne, a widely used security firm whose company values urge executives like Sullivan to “default to disclosure” and ask “why keep this private?” instead of “why make this public?” It took less than a year for Sullivan to use HackerOne’s bug bounty program as a way to avoid disclosing a hack.

HackerOne did not immediately respond to Ars’ request for comment. [Update: A HackerOne spokesperson told Ars, “HackerOne has made the executive decision not to comment.”]

The Times report suggested that Sullivan’s conviction could change how all companies manage data breaches in the future.

Uber did not provide comment to NYT or Ars. Previously, an Uber spokesperson directed Ars to a blog post in which Uber CEO Dara Khosrowshahi discussed how the…

Source…

A Juror Explains Why a C.I.A. Hacker Was Convicted

July 27, 2022/in Computer Security

On July 13th, a jury of twelve New Yorkers returned a verdict in the trial of Joshua Schulte, the C.I.A. hacker accused of engineering the largest theft of classified information in the agency’s history. They found him guilty on all nine counts. Damian Williams, the U.S. Attorney for the Southern District of New York, who oversaw the case, described Schulte’s crime as “one of the most brazen and damaging acts of espionage” ever committed in America. This was Schulte’s second trial on these charges; in March, 2020, a jury had come to a deadlock on the most significant allegations against him, and a judge declared a mistrial. (I wrote about Schulte, and the revelations of that earlier case, in the magazine in June.) But members of the new jury, which was empanelled earlier this summer, were not aware that he had been tried before. Juror No. 4, Juan Flores, told me over coffee last week, “We knew nothing.” The jurors scrupulously obeyed instructions not to consult any media accounts of the case, Flores explained. “I’ve been in the city forty-seven years, and I’ve been called to jury duty twice,” he said. He feels good about the verdict: “The system worked.”

Flores has intense eyes and a gentle smile. He is a retired assistant principal who spent his career working in the public-school system in the Bronx. Testimony about Schulte’s workplace antics at the C.I.A. gave Flores occasional flashbacks to his years as an educator. “I used to conduct conflict resolution with third graders,” he recalled. “ ‘We’re going to move your desks.’ ‘O.K., you couldn’t let it go, so we’re going to move you to a different classroom.’ Schulte couldn’t drop it. He couldn’t leave it alone.” Flores said that Schulte seemed not to have ever learned “all those things you learn when you’re a kid.”

The government’s argument was that Schulte (whose penchant for disproportionate retaliation had earned him the office nickname the Nuclear Option) stole a huge trove of sensitive hacking tools and disclosed them to WikiLeaks, not because he was critical of U.S. policy but as an act of revenge against his colleagues and his superiors, who had criticized him…

Source…

Tag Archive for: convicted