Former Uber security chief found guilty of covering up data breach

A jury in San Francisco has found Uber’s former chief security officer guilty of failing to report a 2016 cyber security incident to the authorities, a spokesperson from the Department of Justice has confirmed.

Former CSO, Joseph Sullivan, was found guilty on two counts: obstruction of justice and deliberate concealment of felony.

“Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission (FTC) and took steps to prevent the hackers from being caught,” said Stephanie Hinds, US Attorney for the Northern District of California.

The case is in relation to a breach of Uber’s systems that involved the data of 57 million passengers and drivers. Uber did not disclose the incident for a year.

In July, Uber admitted responsibility for covering up the breach and agreed to work with the prosecution of Sullivan, who was fired in 2017, over his alleged role in concealing the hack.

Sullivan was initially accused in September 2020. Prosecutors claimed that he arranged to pay the hackers $100,000 in bitcoin and had them sign a nondisclosure agreement that falsely stated they held no stolen data.

The form chief security officer was also accused of holding back information from Uber officials who could have disclosed the breach to the FTC. The FTC had already been looking into Uber’s data security after a 2014 breach.

In September 2018, Uber paid $148mn to settle claims in all 50 US states and Washington D.C., over it being too slow in disclosing the hacking.

California law requires companies to disclose breaches of data security, which Sullivan failed to do, the court found. He was charged for obstruction due to accusations that he impeded the FTC’s investigation of Uber’s security practices.

The two attackers involved, Brandon Charles Glover and Vasile Mereacre, pleaded guilty in 2019, with Mereacre testifying at Sullivan’s trial that he and his partner wanted to extort money from Uber. The two have yet to be sentenced, which may follow from the government’s desire to have their testimony.

Ransomware is a growing threat to enterprises, with attackers taking data hostage and demanding huge payments in return. To find out more about Ransomware and what your company can do about it, check out TechInformed’s Ransomware series by CLICKING HERE.