Former Uber executive found guilty of covering up 2016 hack


Posts: 8,463   +104
Staff member
What just happened? In what is thought to be a first, an executive at a company has been found guilty of charges relating to concealing a hack. Joe Sullivan, Uber's former chief security officer, authorized payments to the perpetrators of a 2016 data breach that saw the personal details of 50 million Uber customers and 7 million drivers stolen.

The Washington Post reports that a jury found Sullivan—a former prosecutor of cybercrimes for the San Francisco US attorney's office—guilty of obstructing justice for not revealing the October 26, 2016, breach to the FTC; companies are required to disclose data breaches under state and federal laws. He was also found guilty of actively hiding a felony, or misprision.

The hackers emailed Uber anonymously in 2016, informing it that they had accessed the company's Amazon Web Services (AWS) storage and downloaded swathes of data, which included names, email addresses, and phone numbers, along with 600,000 US drivers' license numbers. It later emerged that they achieved this by accessing a private GitHub coding site used by Uber software engineers and used the login credentials they obtained there.

The hackers were directed to Uber's bug bounty program, but its maximum $10,000 reward didn't satisfy the criminals, who wanted a six-figure sum in return for deleting the stolen info and keeping quiet about the incident. Already under FTC investigation over a similar 2014 breach, Uber agreed to a $100,000 payment in Bitcoin under the guise of it being a bug bounty payment. The two hackers were later arrested and pleaded guilty to hacking charges.

The hack only became public knowledge in November 2017 when new CEO Dara Khosrowshahi disclosed it and fired Sullivan. Prosecutors claim Sullivan kept the breach hidden to protect his reputation.

"Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught," Stephanie Hinds, US attorney for San Francisco, said in an email to Bloomberg. "We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users."

Sullivan faces up to eight years in prison but is reportedly likely to receive a much shorter sentence.

Uber confirmed it suffered another data breach last month that could have been as bad as or worse than the 2016 incident. It was carried out by the same 18-year-old hacker behind the GTA 6 leak, who has since been arrested.

Permalink to story.


Avro Arrow

Posts: 3,312   +4,300
Good. It's about f*n time that the executive-class gets slapped with more than just fines that are painless for them to pay.


Posts: 378   +794
TechSpot Elite
Chat, need some help with this article. From what I read, I understand that the guy was punished but the company, the infamous perpetrator Uber not so much. It's like the company blamed Sullivan for all the mess. I found this as improbable without higher exec staff from Uber not knowing and participating. Because no way that Sullivan or whoever else from Uber could make the payment to the hacker without higher exec or CEO knowledge and approval. They made him a scapegoat and tossed him to the feds when FTC came after Uber?
Last edited: