Heimdal
article featured image

Contents:

Uber’s former security chief officer, Joe Sullivan, has been found guilty of obstruction of justice and concealing a felony by a jury in San Francisco.

For Sullivan, who at one point in his career prosecuted cybercrime for the US attorney’s office in San Francisco, the conviction represents a stunning turnabout. After the conviction, his lawyer David Angeli declared that Mr. Sullivan’s sole focus in his career and implicitly in this incident has been to ensure the safety of people’s personal data on the internet, as per the Washingon Post.

We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers.

Stephanie M. Hinds, U.S. Attorney (Source)

According to Stephanie Hinds, Sullivan “made steps to prevent the hackers from being caught” and attempted to conceal the data breach from US regulator the Federal Trade Commission (FTC). The FTC was already investigating the company at that time, following a 2014 cyberattack.

Data of Millions of Users Stolen

According to the US Department of Justice (DOJ), when it was hacked again, the perpetrators sent Sullivan an email claiming to have taken a significant amount of data that they would destroy in exchange for a ransom.

The staff working under Sullivan confirmed data, including 57 million Uber users’ records and 600,000 driving license numbers had been stolen by the attackers. In 2016, Sullivan arranged for the attackers to be paid $100,000 in bitcoin for them to sign non-disclosure agreements to not reveal the hack, even though they refused to provide their real names.

The payment was disguised as a “bug bounty”, a reward that is usually used to pay cybersecurity researchers who disclose vulnerabilities to be fixed.

According to BBC, Uber eventually identified the pair of hackers responsible for the attack. Both of them have been convicted of criminal offenses in January 2017, and were required to sign new NDAs in their own names this time.

Cybersecurity Executives Scared

Sullivan’s conviction has sent shivers down the spines of other cybersecurity executives. Being a chief information security officer is already a difficult job with organized ransomware gangs, government-backed hacking teams, and anarchist adolescents targeting businesses.

Corporations targeted by ransomware gangs negotiate with hackers and pay them to stay silent on a daily basis. Giving cybercriminals what they want doesn’t carry the same weight it once did, but businesses must always be open and honest about how they handle situations that affect both them and their clients online.

The breach was eventually reported to the FTC in 2017, after a new management team at Uber carried out its own investigation. In 2018, the company paid the US states $148m to settle the claims.

Sullivan has yet to be sentenced by the court and may appeal against the judgement.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE