Tag Archive for: CoverUp

Former Uber security chief sentenced for data-breach cover-up


SAN FRANCISCO — The former chief security officer for Uber was sentenced to probation Thursday for trying to cover up a 2016 data breach in which hackers accessed tens of millions of customer records from the ride-hailing service.

Joseph Sullivan was sentenced to a three-year term of probation and ordered to pay a fine of $50,000, the U.S. attorney’s office announced.

Sullivan, 54, of Palo Alto was convicted by a federal jury in San Francisco last October of obstructing justice and concealing knowledge that a federal felony had been committed.

It was believed to be the first criminal prosecution of a company executive over a data breach.

Sullivan was hired as Uber’s chief security officer in 2015. In November 2016, Sullivan was emailed by hackers, and employees quickly confirmed that they had stolen records on about 57 million users and also 600,000 driver’s license numbers, prosecutors said.

After learning of the breach, Sullivan began a scheme to hide it from the public and the Federal Trade Commission, which had been investigating a smaller 2014 hack, authorities said.

According to the U.S. attorney’s office, Sullivan told subordinates that “the story outside of the security group was to be that ‘this investigation does not exist,’ ” and arranged to pay the hackers $100,000 in bitcoin in exchange for them signing non-disclosure agreements promising not to reveal the hack. He also never mentioned the breach to Uber lawyers who were involved with the FTC’s inquiry, prosecutors said.

Uber’s new management began investigating the breach in the fall of 2017. Despite Sullivan lying to the new chief executive officer and others, the truth was uncovered, and the breach was made public, prosecutors said.

Sullivan was fired along with Craig Clark, an Uber lawyer he had told about the breach. Clark was given immunity by prosecutors and testified against Sullivan.

Prosecutors had recommended a sentence of 15 months in federal prison for Sullivan, who submitted more than 100 letters of support from friends, family and colleagues.

In an April sentencing memo, prosecutors said that showed that Sullivan is “a wealthy, powerful man” with a deep network of family and friends.

“There…

Source…

Uber’s former security chief convicted of data hack coverup


Uber Technologies Inc.’s former security chief was convicted of concealing a massive data breach in a case that prosecutors tied to the company’s troubled past under its original leadership.

Joe Sullivan was found guilty in federal court in San Francisco on Wednesday by a jury that rejected his claim that other executives at the ride-hailing giant were aware of the 2016 hack and were responsible for it not being disclosed to regulators for more than a year.

The trial featured almost four weeks of testimony that explored cybersecurity management as well as a shakeup at Uber in 2017 when a series of scandals drove co-founder Travis Kalanick out as chief executive.

Sullivan was convicted of both charges against him, obstructing a government investigation and concealing the theft of personal data of 50 million customers and 7 million drivers.

Sullivan, a former federal prosecutor who previously headed security for Facebook, is well known for his expertise in the field in Silicon Valley. He faces as much as eight years in prison, though his sentence probably will be far less.

“While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case. Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” said David Angeli, a lawyer for Sullivan. “We will evaluate next steps in the coming days.”

Companies are required under state and federal laws to promptly disclose data breaches. Uber’s mishandling of the 2016 attack on its servers resulted in the company paying $148 million in a settlement with all 50 states, which at the time was the biggest data-breach payout in U.S. history. Uber had previously been reprimanded by the Federal Trade Commission over a similar data breach in 2014.

Sullivan was accused of actively covering up the hack.

Prosecutors alleged that he quietly arranged for the company to pay the hackers $100,000 in bitcoin to delete the stolen data under the guise of a program used to reward security researchers for identifying vulnerabilities, known as a “bug bounty.” In return, the two hackers agreed not to…

Source…

Former Uber security chief guilty of data breach coverup


SAN FRANCISCO – The former chief security officer for Uber was convicted Wednesday of trying to cover up a 2016 data breach in which hackers accessed tens of millions of customer records from the ride-hailing service.

A federal jury in San Francisco convicted Joseph Sullivan of obstructing justice and concealing knowledge that a federal felony had been committed, federal prosecutors said.

Sullivan remains free on bond pending sentencing and could face a total of eight years in prison on the two charges when he is sentenced, prosecutors said.

“Technology companies in the Northern District of California collect and store vast amounts of data from users,” U.S. Attorney Stephanie M. Hinds said in a statement. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”

It was believed to be the first criminal prosecution of a company executive over a data breach.

A lawyer for Sullivan, David Angeli, took issue with the verdict.

“Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” Angeli told the New York Times.

An email to Uber seeking comment on the conviction wasn’t immediately returned.

Sullivan was hired as Uber’s chief security officer in 2015. In November 2016, Sullivan was emailed by hackers, and employees quickly confirmed that they had stolen records on about 57 million users and also 600,000 driver’s license numbers, prosecutors said.

After learning of the breach, Sullivan began a scheme to hide it from the public and the Federal Trade Commission, which had been investigating a smaller 2014 hack, authorities said.

According to the U.S. attorney’s office, Sullivan told subordinates that “the story outside of the security group was to be that ‘this investigation does not exist,'” and arranged to pay the hackers $100,000 in bitcoin in exchange for them signing non-disclosure agreements promising not to reveal the hack. He also never mentioned the breach to Uber lawyers who were involved with the FTC’s inquiry,…

Source…

Former Uber chief security officer to face wire fraud charges over coverup of 2016 hack


A U.S. District Court judge has ruled that former Uber Technologies Inc. Chief Security Officer Joe Sullivan must face wire fraud charges over allegations that he covered up a security breach involving the theft of 57 million passenger and driver records.

Sullivan (pictured) was initially charged in August 2020 with obstruction of justice and “misprision” or concealment of a felony by the U.S. Attorney’s Office in the Northern District of California. The Department of Justice added three additional changers against Sullivan in December, claiming that he arranged to pay money to two hackers to conceal the hacking.

Reuters reported Tuesday that lawyers for Sullivan argued prosecutors did not adequately allege he concealed the hacking to ensure that Uber drivers would not flee and would continue paying service fees. Judge William Orrick also rejected a claim that Sullivan was only attempting to deceive Uber’s then-Chief Executive Officer Travis Kalanick and Uber’s general counsel, not drivers.

“Those purported misrepresentations, though not made directly to Uber drivers, were part of a larger scheme to defraud them,” Orrick wrote.

The theft of the 57 million records took place in 2016 and came after Sullivan had assisted the Federal Trade Commission concerning Uber’s security practices following an earlier breach in 2014. Sullivan was made aware of the 2016 hack 10 days after providing testimony to the FTC but allegedly took steps to hide the details.

It is alleged that Sullivan paid the hackers by funneling the payoff through Uber’s bug bounty program. Sullivan also sought to have the hackers sign nondisclosure agreements that included a false representation that the hackers did not take or store any data. It was also alleged that Kalanick was aware of Sullivan’s actions.

The details of the hack only came to light when current CEO Dara Khosrowshahi took over the reins at Uber, but even then, Sullivan allegedly deceived the new management team by failing to provide them with critical details.

Uber paid $148 million in September 2018 to settle various investigations into the hack and it failed to disclose it at the time it happened. The two hackers were…

Source…