what just happened In what is believed to be the first time, a company executive has been found guilty of charges of concealing a hack. Joe Sullivan, Uber’s former chief security officer, authorized payments to perpetrators of a 2016 data breach that stole the personal information of 50 million Uber customers and 7 million drivers.
The Washington Post reports that a jury found Sullivan — a former cybercrime prosecutor at the San Francisco U.S. Attorney’s Office — guilty of obstructing justice by failing to disclose the October 26, 2016 FTC violation ; Businesses are required to disclose data breaches under state and federal laws. He was also found guilty of actively hiding a crime or misdemeanor.
The hackers anonymously emailed Uber in 2016, telling Uber that they had accessed the company’s Amazon Web Services (AWS) storage and downloaded loads of data, including names, email addresses and phone numbers, and 600,000 US driver’s license numbers . It later emerged that they achieved this by accessing a private GitHub coding page used by Uber software engineers and using the credentials obtained there.
The hackers were referred to Uber’s bug bounty program, but the $10,000 maximum reward didn’t satisfy the criminals, who demanded a six-figure sum in exchange for deleting the stolen information and remaining silent about the incident. During the FTC investigation into a similar violation in 2014, Uber agreed to pay $100,000 in bitcoin under the guise of a bug bounty payment. The two hackers were later arrested and pleaded guilty to hacking charges.
The hack only became public knowledge in November 2017 when new CEO Dara Khosrowshahi disclosed it and fired Sullivan. Prosecutors allege that Sullivan kept the breach secret to protect his reputation.
“Sullivan worked diligently to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” Stephanie Hinds, US Attorney for San Francisco, said in an email to Bloomberg . “We will not tolerate the withholding of important information from the public by executives of companies who are more interested in protecting their reputation and that of their employers than protecting users.”
Sullivan faces up to eight years in prison but is reportedly likely to receive a much shorter sentence.
Uber confirmed it suffered another data breach last month that could have been as bad or worse than the 2016 incident. It was run by the same 18-year-old hacker behind the GTA 6 leak who has since been arrested.
https://www.techspot.com/news/96224-former-uber-executive-found-guilty-covering-up-2016.html Former Uber exec found guilty of covering up 2016 hack