The firm’s former chief information security officer was found guilty of hiding a massive data breach from federal investigators.
A federal jury has convicted Uber’s former security chief of charges related to a 2016 cover-up involving the ride-share giant, according to journalists present in the courtroom.
Joe Sullivan, who was found guilty of one count of obstruction and one count of misprision of a felony on Wednesday, helped to conceal a massive 2016 data breach from authorities, while also obstructing a Federal Trade Commission investigation.
Sullivan’s troubles began in the fall of 2016, when two cybercriminals managed to compromise an Amazon data storage server operated by the company and stole personally identifying information on some 600,000 Uber drivers, as well as approximately 57 million users of the ride-share app. The hackers then contacted Sullivan via email in an attempt to extort the company for $100,000.
To complicate matters, Uber was being investigated by the FTC for a previous hacking incident at the time of the breach. Sullivan secretly paid off the hackers via the company’s bug bounty program and then later misled federal investigators about what had occurred.
Under Sullivan’s watch, the public was never notified about the incident, despite the fact that the criminals had stolen users’ names, phone numbers, and email addresses. Uber drivers’ license numbers were also stolen.
Federal prosecutors alleged that Sullivan subsequently attempted to “conceal, deflect, and mislead the Federal Trade Commission about the breach.” Sullivan’s charges stem from the cover-up, not paying the hackers. The latter has become increasingly common in the cybersecurity industry in recent years.
A former federal prosecutor turned corporate cybersecurity guru, Sullivan took over security at Uber after working a similar stint at Facebook and other high-level positions in Silicon Valley. Sullivan helmed operations at the global ride-share firm until November of 2017, when Uber’s new CEO, Dara Khosrowshahi, took over. After Khosrowshahi discovered what had occurred, Sullivan was subsequently fired, along with other members of the security team.
The hackers behind the episode were ultimately arrested and charged in connection with the incidents. They pled guilty to related crimes in 2019.
The case has decidedly split those in the cybersecurity community. The New York Times reports that this could be the first time that a security executive was held liable for a hacking incident in this way. The episode could ultimately set a new precedent for future cases in which CISOs must face legal consequences over data breaches. Some security professionals have suggested that Sullivan was “scapegoated” for the incident.
Suggest an edit to this article
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.