Uber’s former chief security officer, Joe Sullivan, for
covering up a massive data
breach[1] that the ride-hailing
company suffered in 2016.
According to the press release published[2]
by the U.S. Department of Justice, Sullivan “took deliberate steps
to conceal, deflect, and mislead the Federal Trade Commission about
the breach” that also involved paying hackers
$100,000 ransom[3]
to keep the incident secret.
“A criminal complaint was filed today in federal court charging
Joseph Sullivan with obstruction of justice and misprision of a
felony in connection with the attempted cover-up of the 2016 hack
of Uber Technologies,” it says.
numbers of 57 million Uber riders and drivers, and driver license
numbers of around 600,000 drivers.
The company revealed this information to the public almost a
year later in 2017, immediately after Sullivan left his job at Uber
in November.
Later it was reported that two hackers, Brandon Charles Glover
of Florida and Vasile Mereacre of Toronto, were behind the incident
to whom Sullivan approved paying money in exchange for promises to
delete data of customers they had stolen.
All this started when Sullivan, as a representative for Uber, in
2016 was responding to FTC inquiries regarding a previous data
breach incident in 2014, and during the same time, Brandon and
Vasile contacted him regarding the new data breach.
“On November 14, 2016, approximately 10 days after providing his
testimony to the FTC, Sullivan received an email from a hacker
informing him that Uber had been breached again.”
“Sullivan’s team was able to confirm the breach within 24 hours
of his receipt of the email. Rather than report the 2016 breach,
Sullivan allegedly took deliberate steps to prevent knowledge of
the breach from reaching the FTC.”
According to court documents, the ransom amount was paid through a
bug bounty program in an attempt to document the blackmailing
payment as bounty for white-hat hackers who point out security
issues but have not compromised data.
“Uber paid the hackers $100,000 in BitCoin in December 2016,
despite the fact that the hackers refused to provide their true
names (at that time),” federal prosecutors said. “In addition,
Sullivan sought to have the hackers sign non-disclosure agreements.
The agreements contained a false representation that the hackers
did not take or store any data.”
“Moreover, after Uber personnel were able to identify two of the
individuals responsible for the breach, Sullivan arranged for the
hackers to sign fresh copies of the non-disclosure agreements in
their true names. The new agreements retained the false condition
that no data had been obtained. Uber’s new management ultimately
discovered the truth and disclosed the breach publicly, and to the
FTC, in November 2017.”
Just last year, both hackers were pleaded
guilty[4] to several counts of
charges for hacking and blackmailing Uber, LinkedIn, and other U.S.
corporations.
In 2018, British and Dutch data protection regulators also
fined Uber with
$1.1 million[5] for failing to
protect its customers’ personal information during a 2016 cyber
attack.
Now, if Sullivan found guilty of cover-up charges, he could face
up to eight years in prison, as well as potential fines of up to
$500,000.
References
- ^
massive data breach
(www.uber.com) - ^
published
(www.justice.gov) - ^
paying hackers $100,000 ransom
(thehackernews.com) - ^
pleaded guilty
(thehackernews.com) - ^
fined Uber with $1.1 million
(thehackernews.com)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/Bj5Kn5McO6M/uber-data-breach-cover-ups.html