Ex-Uber Security Chief Found Guilty And Sentenced For Covering Up Hack
On May 4th, 2023, Joe Sullivan was found guilty of covering up a data breach at his former place of employment, Uber, in 2016. According to the case reports, Sullivan paid the hackers a total sum of $100,000 (£79,000).
The sentencing was done by US District Judge William Orrick in San Francisco. Mr. Sullivan was sentenced to three years of probation. He was also instructed to pay a fine of $50,000 as well as 200 hours of community service.
According to the Wall Street Journal, Judge William showed Sullivan leniency because of his character but also because this was the first-ever case of its kind. Joe Sullivan is the first business executive to be found guilty of a data breach by third parties.
Judge William also emphasized Mr. Sullivan’s previous work in the industry where he protected the public from the very crime he would later conceal. He also said that while Sullivan’s actions were dubious and careless, he did succeed in keeping the stolen data from being exposed.
See also
The judge said, “If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison. When you go out and talk to your friends, to your CISOs [chief information security officers], you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off.”
The Uber Hack And Sullivan’s Concealing
In November 2014, Uber suffered a data breach where the information of 50,000 customers was exposed. This hack was disclosed to the FTC the company was investigated and served with a Civil Investigative Demand by the FTC.
The demand required the company to disclose comprehensive details about company data security policies as well as specifics about any other instances where unauthorized parties acquired access to private user information.
Joe Sullivan was hired as Uber’s Chief Security Officer (CSO) in April 2015. In November 2016, hackers contacted Mr. Sullivan claiming that they had stolen a large amount of data. The information included the records of 57 million Uber customers, that is names and phone numbers.
This was ten days after Sullivan had testified to the FTC about Uber’s security policy after the 2014 data breach. The hackers demanded a large ransom payment from the company and claimed they would delete the stolen data in exchange.
Mr. Sullivan allegedly kept this information hidden. In December 2016, the company would pay the hackers $100,00 in bitcoin. In exchange, the hackers signed non-disclosure agreements (NDAs) to keep the hack a secret and to approve the claim that no data was taken or stored as a result of the breach.
In January 2017, Uber was able to identify the two hackers. The company issued them with new NDA agreements in their real names. In August 2017, the company had new management who started an investigation into the payment.
When questioned on the matter, Sullivan lied to then-new CEO Dara Khosrowshahi as well as the lawyers about the hack. According to QZ, Sullivan passed it off as a corporate bug bounty program where the company paid white-hat hackers to help find bugs and holes in their system.
According to evidence presented during the trial, Sullivan made efforts to prevent the FTC from learning about the hack. This includes instructing a subordinate that information on the hack had to be “tightly controlled” and that they “can[not] let this get out”.
Additionally, he informed staff members who weren’t part of the security team that “this investigation does not exist” according to the company’s official statement.
The management finally came to the truth of the situation in November 2017. Sullivan was fired immediately and the breach was disclosed publicly as well as the public.
In October 2019, the two hackers who had been arrested were charged with computer fraud conspiracy, prosecuted, and pleaded guilty to the charges. They have not been sentenced as of yet.
In October 2022, Sullivan was convicted by a federal jury for obstructing justice and concealing a felony. After conviction, prosecutors were calling for a 15-month prison sentence but the judge opted for a more lenient option.
Planning a trip to Paris ? Get ready !
These are Amazon’s best-selling travel products that you may need for coming to Paris.
Bookstore
- The best travel book : Rick Steves – Paris 2023 – Learn more here
- Fodor’s Paris 2024 – Learn more here
Travel Gear
- Venture Pal Lightweight Backpack – Learn more here
- Samsonite Winfield 2 28″ Luggage – Learn more here
- Swig Savvy’s Stainless Steel Insulated Water Bottle – Learn more here
Check Amazon’s best-seller list for the most popular travel accessories. We sometimes read this list just to find out what new travel products people are buying.
