Ex-Uber CSO convicted of cover-up in 2016 data breach

Previous Uber Technologies main security officer (CSO) Joe Sullivan has been convicted by a jury of hiding a 2016 information breach from the U.S. Federal Trade Commission.

Bloomberg Information reported the San Francisco jury turned down his defence that other executives knew about the coverup and had been liable, convicting him of obstructing a govt investigation and concealing the theft of individual info of 50 million customers and 7 million drivers. That included around 800,000 Canadians.

Sullivan was accused of quietly arranging for Uber to pay out the hackers US$100,000 in Bitcoin to delete the stolen details, less than the guise of a application made use of to reward stability scientists for pinpointing vulnerabilities, recognised as a “bug bounty,”  the news report claimed. In return, the two hackers agreed not to disclose that they experienced stolen the info. The hackers afterwards pleaded guilty for their function in the incident.

The October 2016 hack stayed key right up until November, 2017 when it was disclosed by the new chief government officer (CEO), Dara Khosrowshahi.

The prosecution noted that Sullivan emailed Uber’s then-CEO about that hack 12 hrs just after it was identified.

The incident has been hanging over Uber at any time considering the fact that. In 2018 it paid out a $148 million in a civil settlement to all 50 states and Washington D.C. for the coverup.

Separately, in July Uber entered a non-prosecution arrangement with federal prosecutors to take care of a criminal investigation that the ride-sharing organization deceived customers about its privacy and knowledge protection techniques.

Sullivan will be sentenced for Wednesday’s conviction at a long run day.

In a commentary, David Lindner, CISO at Contrast Security, explained the complete predicament is particularly unfortunate for Uber and the broader authorized/safety communities. “What Uber did was protect up a breach by way of suggests of hiding it as a bug bounty submission,” he claimed in a statement. “The conviction of the security main is a fantastic begin but for what was disclosed there should really be even more accountability of the executives and even board members.

“Transparency is the only path forward for companies. Transparency of breaches, transparency of known vulnerabilities, and transparency of the parts utilised to develop their software package. Uber failed in being clear and it has resulted in not only a wonderful but in the conviction of a human powering the decisions. We will see far more of this if we really don’t move to transparency quickly.”

Leave a Reply