Former Uber security chief found guilty of data breach concealment

In 2016, hackers gained access to tens of millions of customer records from the ride-hailing service. The former chief security officer for Uber was found guilty of attempting to hide the breach. Joseph Sullivan was found guilty of obstructing justice and hiding the knowledge that a federal felony had been committed by a federal jury in San Francisco, according to federal prosecutors. Prosecutors said that Sullivan, who is currently out on bond pending sentencing, could be sentenced to a total of eight years in prison for the two charges. U.S. Attorney Stephanie M. Hinds stated that we would not tolerate corporate executives hiding crucial information from the public if they are more concerned with preserving their reputation and that of their employers than with safeguarding users. Technology companies in the Northern District of California collect and store enormous amounts of user data. It was regarded as the first criminal case brought against a company executive for a data breach. In 2015, Sullivan was hired as Uber's chief security officer. Sullivan was emailed by hackers in November 2016, and employees quickly confirmed that they had stolen records on approximately 57 million users as well as 600,000 driver's license numbers, according to prosecutors. Authorities said that after learning of the breach, Sullivan devised a plan to conceal it from the public and the Federal Trade Commission, which was investigating a smaller 2014 hack. The U.S. attorney's office claims that Sullivan instructed subordinates that the story outside of the security group should be that there is no investigation going on. He also reportedly made arrangements to pay the hackers $100,000 in bitcoin in exchange for them signing non-disclosure agreements promising not to disclose the hack. Additionally, according to the prosecution, he never disclosed the breach to the Uber lawyers working on the FTC investigation. The U.S. Attorney’s office said that although Sullivan was aware that the hackers were also hacking and blackmailing other businesses in addition to Uber, he still carried out these actions. In the autumn of 2017, Uber's new management started looking into the breach. According to the prosecution, Sullivan misled the new CEO and others, but the truth came out and the breach was made public. A lawyer for Uber whom Sullivan had informed about the breach, Craig Clark, was also fired along with Sullivan. In exchange for her testimony against Sullivan, Clark received immunity from the prosecution. No additional executives from Uber were indicted in this case. In 2019, the hackers admitted guilty to conspiring to commit computer fraud; they are currently awaiting sentencing. Sullivan was found guilty of felony misprision, the concealment of felony knowledge from law enforcement, and obstruction of the Federal Trade Commission's proceedings. Some experts have questioned how much Uber's cybersecurity has advanced since the breach. Following what security experts described as a major data breach, the company declared last month that all of its services were operational and that there was no proof that the hacker had access to sensitive user data. The lone hacker reportedly gained access by impersonating a colleague and duping an Uber employee into giving up their login information. According to screenshots the hacker provided to security researchers, they were given full access to Uber's cloud-based systems to store confidential customer and financial information. Uber's network was accessed by the hacker for an unknown period of time and in an unknown quantity. There was no sign that they deleted any data.