Joe Sullivan, the former chief security officer for Uber, was convicted for hiding details of a hack that could have affected over 57 million Uber users, including customers and drivers.
The charges were filed for the 2016 cyberattack wherein a hacker group stole the users’ personal information from the company’s databases. The stolen data included the names, email addresses, and contact details of 50 million users and 7 million Uber drivers. The latter compromised the permanent addresses and license numbers of Uber drivers.
The jury convicted Sullivan for two counts, including one for obstructing justice for hiding the breach to the FTC and another for misprision, which is concealing a fraud from legal authorities in the US, the New York Times reported.
Uber data breach 2016 and Joe Sullivan
Joe Sullivan has served as a security executive in tech giants such as Facebook and Cloudflare. According to the prosecution, the hackers used a similar pattern as was noted in the 2014 Uber breach, where the company suffered a cyberattack that left details of over 100,000 individuals exposed. The 2016 case went under the rug because Sullivan hindered any detection and media coverage of the breach and kept the hack hidden from the general public, a report stated.
The 2016 Uber breach occurred when threat actors accessed Uber’s Amazon Web Services (AWS) storage. The threat actors then downloaded the database backups, which included the data of Uber customers as well as Uber drivers. The hackers then contacted Uber for a ransom in exchange for deleting the stolen information.
The American mobility company paid a ransom to the threat actors under the disguise of a Bug Bounty program. The hackers were finally caught by authorities in 2019 and pleaded guilty to hacking into the company’s database and stealing the personal information of users and drivers.
Joe Sullivan charges over Uber data breach
In the hearing that began earlier this September, the prosecutors showed evidence against Sullivan and shared the details of the hack and the payment method used for the ransom. The prosecutors also claimed that the former Uber CEO Travis Kalanick knew about the incident and the payment made to the hackers. They also claimed that Sullivan didn’t inform Uber’s general counsel about the breach, and the new CEO, Dara Khosrowshahi, was unaware of the incident.
Bloomberg reports that Sullivan didn’t reveal the breach to the company to protect his reputation because, as a chief security officer for Uber, he was supposed to protect the company from cyberattacks and hackers after joining the organization in 2015. The report added that Sullivan could face up to eight years in prison, however, there is a possibility that the sentence may be reduced.
Under the new CEO, Dara Khosrowshahi, Uber has fired Sullivan, publicly admitted to the breach, and paid $148 million in civil litigation over the breach to all 50 states. However, despite all the claims, Sullivan’s lawyers tried justifying his action stating that he did all that to prevent the leak of users’ data and even informed the CEO and other necessary personnel about the incident.
Sullivan and his team also identified the hackers and got them to sign NDAs under their real names to not leak any of the stolen data in exchange for the ransom from the Bug Bounty program.
