Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Crime

Former Uber Exec Joe Sullivan Found Guilty of Concealing 2016 Data Breach (nytimes.com) 10

According to the New York Times, former chief security officer of Uber, Joe Sullivan, has been found guilty of hiding a 2016 data breach from authorities and obstructing an investigation by the FTC into the company's security practices. The breach affected more than 57 million Uber riders and drivers. From the report: Mr. Sullivan was deposed by the F.T.C. as it investigated a 2014 breach of Uber's online systems. Ten days after the deposition, he received an email from a hacker who claimed to have found another security vulnerability in its systems. Mr. Sullivan learned that the hacker and an accomplice had downloaded the personal data of about 600,000 Uber drivers and additional personal information associated with 57 million riders and drivers, according to court testimony and documents. The hackers pressured Uber to pay them at least $100,000. Mr. Sullivan's team referred them to Uber's bug bounty program, a way of paying "white hat" researchers to report security vulnerabilities. The program capped payouts at $10,000, according to court testimony and documents. Mr. Sullivan and his team paid the hackers $100,000 and had them sign a nondisclosure agreement.

During his testimony, one of the hackers, Vasile Mereacre, said he was trying to extort money from Uber. Uber did not publicly disclose the incident or inform the F.T.C. until a new chief executive, Dara Khosrowshahi, joined in the company in 2017. The two hackers pleaded guilty to the hack in October 2019. States typically require companies to disclose breaches if hackers download personal data and a certain number of users are affected. There is no federal law requiring companies or executives to reveal breaches to regulators. Federal prosecutors argued that Mr. Sullivan knew that revealing the new hack would extend the F.T.C. investigation and hurt his reputation and that he concealed the hack from the F.T.C. Mr. Sullivan did not reveal the 2016 hack to Uber's general counsel, according to court testimonies and documents. He did discuss the breach with another Uber lawyer, Craig Clark.

Mr. Sullivan did not reveal the 2016 hack to Uber's general counsel, according to court testimonies and documents. He did discuss the breach with another Uber lawyer, Craig Clark. Like Mr. Sullivan, Mr. Clark was fired by Mr. Khosrowshahi after the new Uber chief executive learned about the details of the breach. Mr. Clark was given immunity by federal prosecutors in exchange for testifying against Mr. Sullivan. Mr. Clark testified that Mr. Sullivan told the Uber security team that they needed to keep the breach secret and that Mr. Sullivan changed the nondisclosure agreement signed by the hackers to make it falsely seem that the hack was white-hat research. Mr. Sullivan said he would discuss the breach with Uber's "A Team" of top executives, according to Mr. Clark's testimony. He shared the matter with only one member of the A Team: then chief executive Travis Kalanick. Mr. Kalanick approved the $100,000 payment to the hackers, according to court documents.
The case is "believed to be the first time a company executive faced criminal prosecution over a hack," notes the report.

"The way responsibilities are divided up is going to be impacted by this. What's documented is going to be impacted by this The way bug bounty programs are designed is going to be impacted by this," said Chinmayi Sharma, a scholar in residence at the Robert Strauss Center for International Security and Law and a lecturer at the University of Texas at Austin School of Law.
This discussion has been archived. No new comments can be posted.

Former Uber Exec Joe Sullivan Found Guilty of Concealing 2016 Data Breach

Comments Filter:
  • The US government has everything there is to know about me because I got a clearance. All that data was hacked around the same time. Who is to be held responsible? Does the government have protections corporations do not for the same kind of thing?
  • by bubblyceiling ( 7940768 ) on Wednesday October 05, 2022 @05:16PM (#62942143)
    Excellent news. Now do it for the financial sector
    • by AmiMoJo ( 196126 )

      What is the punishment though? He has to pay a small fine, or does he spend years in jail?

  • What? Companies like Uber that pay their employees pennies aren't spending buckets of cash on protecting their customers? Color me SHOCKED!

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...