2 min read

Former Uber Exec Faces Eight Years in Prison over Cover-Up of 2016 Hack

Filip TRUȚĂ

August 21, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Former Uber Exec Faces Eight Years in Prison over Cover-Up of 2016 Hack

Uber”s former chief security officer, who allegedly paid off hackers to keep a massive data breach secret, has been charged with obstruction of justice and misprision of a felony. The 52-year-old faces up to 8 years behind bars for his crimes.

The U.S. Department of Justice this week announced that Joseph Sullivan of Palo Alto, California, allegedly took “deliberate steps to conceal, deflect, and mislead” the Federal Trade Commission about the widely circulated hack of Uber Technologies Incorporated in 2016.

As some readers will remember, four years ago, two hackers breached a database owned by the ride-hailing firm and stole personally identifying information associated with approximately 57 million Uber users and drivers. The duo allegedly contacted Sullivan by email and demanded a six-figure payment in exchange for silence. Sullivan, according to the complaint, paid the hackers $100,000.

The exec sought to conceal the payment through a rigged bug-bounty program in which he artificially enrolled the hackers, despite not knowing their real names. Uber management ultimately discovered Sullivan”s attempt to conceal the hack and hide critical details about the affected data and made the tough decision to alert authorities about the breach.

The DOJ press release describes, in fine detail, Sullivan”s convoluted attempts to conceal the incident and deceive Uber management about the event:

“In addition, Sullivan sought to have the hackers sign non-disclosure agreements. The agreements contained a false representation that the hackers did not take or store any data. When an Uber employee asked Sullivan about this false promise, Sullivan insisted that the language stay in the non-disclosure agreements. Moreover, after Uber personnel were able to identify two of the individuals responsible for the breach, Sullivan arranged for the hackers to sign fresh copies of the non-disclosure agreements in their true names. The new agreements retained the false condition that no data had been obtained. Uber”s new management ultimately discovered the truth and disclosed the breach publicly, and to the FTC, in November 2017.”

“The criminal complaint also alleges Sullivan deceived Uber”s new management team about the 2016 breach. Specifically, Sullivan failed to provide the new management team with critical details about the breach. In August of 2017, Uber named a new Chief Executive Officer. In September 2017, Sullivan briefed Uber”s new CEO about the 2016 incident by email. Sullivan asked his team to prepare a summary of the incident, but after he received their draft summary, he edited it. His edits removed details about the data that the hackers had taken and falsely stated that payment had been made only after the hackers had been identified.”

The two hackers were prosecuted last year after pleading guilty to all charges. They now await sentencing, the DOJ says.

As for Sullivan, he is charged with obstructing justice and misprision of a felony, carrying penalties of five and three years, respectively. Sullivan”s initial federal court appearance has not yet been scheduled.

In 2018, the Information Commissioner”s Office (ICO) in the UK fined the ride-sharing company £385,000 for the breach, which translated into around $490,000 at that time. Had the violation occurred after the GDPR took effect in May 2018, the penalty could have been up to 200 times larger. Around the same time, the Netherlands fined Uber as well, €600,000, through its data protection authority, Autoriteit Persoonsgegevens.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Chinese criminals scam kids desperate to play games for more than three hours a week Chinese criminals scam kids desperate to play games for more than three hours a week
Graham CLULEY

August 12, 2022

2 min read
Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach
Silviu STAHIE

August 09, 2022

1 min read
Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down
Silviu STAHIE

August 05, 2022

1 min read