Former Uber security chief convicted in hack cover-up: reports

Former Uber security chief convicted in hack cover-up: reports

The prosecution of a former head of security at Uber for his handling of a massive hack has others in the industry worried about being held personally accountable for decisions made on the job.
The prosecution of a former head of security at Uber for his handling of a massive hack has others in the industry worried about being held personally accountable for decisions made on the job.. Photo: JUSTIN SULLIVAN / GETTY IMAGES NORTH AMERICA/Getty Images via AFP
Source: AFP

PAY ATTENTION: Click “See First” under the “Following” tab to see Briefly News on your News Feed!

A jury on Wednesday found Uber's former security chief guilty of federal crimes for covering up a massive hack that compromised personal information of users and drivers, according to US media reports.

Joseph Sullivan was found guilty of obstructing the work of the Federal Trade Commission and of failing to let authorities know about a crime when he hid a 2016 hack instead of reporting it, according to news outlets.

Sullivan could be sentenced to prison time.

Sullivan sought to pay off the hackers by funneling money through a "bug bounty" program that rewards developers for revealing security vulnerabilities without doing any harm, according to the criminal complaint.

Uber paid the hackers $100,000 in bitcoin cryptocurrency in December 2016, and Sullivan wanted them to sign non-disclosure agreements promising to keep mum about the affair, prosecutors said.

Read also

What's next for the Musk-Twitter deal?

Sullivan was Uber chief security officer from April 2015 to November 2017.

PAY ATTENTION: Never miss breaking news – join Briefly News' Telegram channel!

The criminal complaint maintains that Sullivan deceived Uber's new chief executive Dara Khosrowshahi, appointed in mid-2017 to replace Travis Kalanick, about the breach.

"Silicon Valley is not the Wild West," US Attorney David Anderson for the Northern District of California said in a statement when the charges were filed.

"We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments."

Two members of the Uber information security team who "led the response" that included not alerting users about the data breach were let go from the San Francisco-based company, according to Khosrowshahi.

The Uber chief said he had learned that outsiders broke into a cloud-based server used by the company for data and downloaded a significant amount of information.

Stolen files included names, email addresses and mobile phone numbers for millions of riders, and the names and driver license information of some 600,000 drivers, according to Uber.

Read also

Yemen's fate hangs in balance as truce collapses

Co-founder and ousted chief Kalanick was advised of the breach shortly after it was discovered, but it was not made public until Khosrowshahi learned of the incident, according to an AFP source.

Uber did not respond to a request for comment on the verdict.

Casey Ellis, founder and CTO at Bugcrowd, a San Francisco-based leader in crowd-sourced cybersecurity, said, "It's a significant precedent that has already sent shockwaves through the CISO (chief information security officer) community."

"It highlights the personal liability involved in being a CISO in a dynamic policy, legal, and attacker environment."

PAY ATTENTION: Сheck out news that is picked exactly for YOU ➡️ find the “Recommended for you” block on the home page and enjoy!

Source: AFP

Authors:
AFP avatar

AFP AFP text, photo, graphic, audio or video material shall not be published, broadcast, rewritten for broadcast or publication or redistributed directly or indirectly in any medium. AFP news material may not be stored in whole or in part in a computer or otherwise except for personal and non-commercial use. AFP will not be held liable for any delays, inaccuracies, errors or omissions in any AFP news material or in transmission or delivery of all or any part thereof or for any damages whatsoever. As a newswire service, AFP does not obtain releases from subjects, individuals, groups or entities contained in its photographs, videos, graphics or quoted in its texts. Further, no clearance is obtained from the owners of any trademarks or copyrighted materials whose marks and materials are included in AFP material. Therefore you will be solely responsible for obtaining any and all necessary releases from whatever individuals and/or entities necessary for any uses of AFP material.