Former Uber chief security officer gets three-year probation for covering up data breach
Last Thursday, Uber’s former Chief Security Officer, Joe Sullivan, was sentenced to three years of probation. Previously, a jury in 2022 found him guilty of obstructing a judicial investigation and illegally concealing Uber’s data theft case.
The situation dates back to a significant data breach at Uber in 2016, when two hackers illicitly accessed Uber’s backup files stored on Amazon’s S3 storage service using stolen credentials, obtaining detailed information on 57 million passengers and drivers. In November 2016, the pair contacted Uber, demanding a $100,000 ransom.
To cover up the data breach scandal, then-Security Chief Joe Sullivan negotiated an agreement with the hackers. Both parties decided to disguise the ransom payment as a bug bounty to white-hat hackers, making the security incident appear as a typical vulnerability disclosure rather than a data leak.
In December 2016, Uber paid each of the two individuals $50,000 through its HackerOne bug bounty program. Prior to this, they had signed a confidentiality agreement with Uber, promising to delete the data. These two hackers later pleaded guilty in 2019, admitting to attacking and extorting several high-profile organizations, including Uber and LinkedIn.
It was not until November 2017 that Uber issued a data breach notification concerning the incident. By that time, the company had reached a $148 million settlement agreement with various US states and paid over $1 million in fines to British and Dutch data protection authorities.
“Corporate leaders are called upon to do the right thing even when it is embarrassing, even when it is bad for the company’s bottom line. Nobody, neither corporations nor the executives who lead them, is above the law.” said the Federal Bureau of Investigation official in charge of the case. Federal officials hope companies will not assist criminal hackers in covering their tracks. Do not exacerbate customers’ problems or conceal criminal attempts to steal people’s personal data.
Last month, US federal officials urged the judge to sentence Joe Sullivan to 15 months in prison for obstruction of justice. However, ultimately, the San Francisco judge sentenced the former Uber Chief Security Officer to three years of probation and 200 hours of community service.
Via: theregister
