Uber’s former safety chief discovered responsible of masking up 2016 information breach • TechCrunch

Uber’s former head of safety has been discovered responsible of felony obstruction for trying cowl up a knowledge breach that noticed tens of hundreds of thousands of buyer and driver data stolen.

A federal jury in San Francisco convicted Joseph Sullivan, Uber’s former chief safety officer (CSO), of obstructing justice and concealing data {that a} federal felony had been dedicated, the Division of Justice confirmed on Wednesday. 

The case pertains to a breach of Uber’s programs in 2016 that uncovered the information of fifty million clients and 7 million drivers, together with names, e mail tackle, cellphone numbers and round 600,000 driver license numbers for U.S. drivers have been additionally included within the breach. 

The info breach occurred only a few months after Sullivan was employed by Uber to assist the corporate beef up its cybersecurity after a smaller breach in 2014 that noticed hackers entry the roughly 50,000 shoppers’ private info. 

After studying of the 2016 breach, Sullivan started a scheme to cover it from the general public and the Federal Commerce Fee (FTC), which had been investigating the 2014 breach, prosecutors say.

Sullivan, who now serves as Cloudflare’s CSO, informed a subordinate that details about the breach wanted to be “tightly managed” and that the the story outdoors of the safety group was to be that “this investigation doesn’t exist.” He additionally organized to pay the hackers $100,000 underneath the guise of a bug bounty program in alternate for them signing non-disclosure agreements promising to not reveal the hack. 

Uber fired Sullivan in 2017 and in 2020 federal prosecutors charged him with one depend of obstruction and one depend of misprision of a felony. His trial is believed to be the primary time an organization govt has confronted felony prosecution over a hack.

“Expertise firms within the Northern District of California accumulate and retailer huge quantities of information from customers,” mentioned U.S. Lawyer Hinds. “We count on these firms to guard that information and to alert clients and applicable authorities when such information is stolen by hackers. We won’t tolerate concealment of vital info from the general public by company executives extra enthusiastic about defending their fame and that of their employers than in defending customers. The place such conduct violates the federal regulation, it will likely be prosecuted.”

Uber didn’t publicly disclose the incident or inform the FTC till a brand new chief govt, Dara Khosrowshahi, joined the corporate in 2017. Since, Uber has paid $148 million to settle a case introduced by 50 US states and the District of Columbia for trying to cowl up the breach. It was additionally hit with fines from the U.Ok. and Dutch information safety authorities totalling practically $1.2 million; the breach affected 82,000 drivers primarily based within the U.Ok. and 174,000 Dutch residents.

A sentencing date has not but been set, however Sullivan faces a most of 5 years in jail for the obstruction of justice cost, and as much as three years for failing to report the crime, in keeping with the DOJ. 

Information of Sullivan’s conviction comes simply weeks after Uber confirmed a latest breach that noticed hackers break into the corporate’s community and entry programs that retailer huge troves of buyer information. Uber later revealed the Lapsus$-affilated hacker stole some inner info and Slack messages, however mentioned that no delicate info — like bank card information and journey histories — was taken.