The former Chief Security Officer of Uber is facing wire fraud charges over allegations that he covered up a data breach that saw hackers steal the records of 57 million passengers and drivers.
This tangled story reaches back to 2016, when two hackers discovered that Uber software engineers had carelessly exposed the login credentials they used to access an Amazon Web Services account which resulted in the theft of sensitive data related to Uber customers and drivers.
Names, email addresses and phone numbers, as well as driving license details, were stolen in the heist.
The hackers contacted Uber's security team, demanding a $100,000 Bitcoin payment be made for the secure erasure of the data.
And it's at this point that things get very peculiar. Because normally you would expect a business which has fallen victim to hackers, and had the data of third-parties stolen from its systems, to inform the authorities, tell the public about the incident, warn affected individuals, and brief regulators about the data breach.
What you wouldn't expect to happen is what is alleged to have happened: namely that Joe Sullivan, Uber's then security chief, allegedly covered up the hack and arranged to give money to hackers disguised as a payment from the business's bug bounty program, in exchange for their silence.
In short, Uber didn't tell the world, or the affected individuals of the data breach.
In fact, if the allegations believed, Uber's security chief ego meant he did not want to admit that there had been a security failure on his watch, and that he concealed the hack out of a desire to prevent drivers from defecting to Uber's rivals.
In this way, claim prosecutors, drivers were "defrauded" as they continued to share a proportion of their fares with Uber.
After news of the security breach ultimately (perhaps inevitably) became public knowledge a year or so later, Uberagreed to pay $148 million as a settlement for its concealment and poor handling of the incident.
The US Department of Justice this week, announced that it would not be prosecuting Uber over the data breach, after the firm "admitted to and accepted responsibility for the acts of its officers, directors, employees, and agents in concealing its 2016 data breach from the FTC."
In addition, Uber has agreed to maintain a comprehensive privacy program for 20 years, and is helping ongoing government investigations - including the criminal case against its former chief security officer, Joe Sullivan.
He may have thought he was acting to protect the company that employed him, but it seems Uber isn't prepared to return the favour.
Sullivan, who previously held a role heading up security at Facebook, faces up to 20 years in prison if convicted.
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.View all posts
May 16, 2023
March 10, 2023