Uber’s former chief security officer has been convicted for failing to notify US authorities about a 2016 hack into the company’s databases.
A jury in San Francisco found Joe Sullivan – who was fired from Uber in 2017 – guilty of obstructing justice and covering up a crime.
Companies are increasingly negotiating with ransomware hackers.
But investigators said they had to “do the right thing” if their systems were breached.
The conviction is a dramatic setback for Sullivan, who at one point in his career prosecuted cybercrimes for the US Attorney’s Office in San Francisco.
After Sullivan’s conviction, his attorney, David Angeli, said, “Mr. Sullivan’s sole focus throughout this incident and throughout his distinguished career has been ensuring the security of people’s personal information online,” reported The Washington Post.
However, prosecutors said the case was a warning to companies.
“We expect these companies to protect this data and to notify customers and relevant authorities if such data is stolen by hackers,” said US Attorney Stephanie M. Hinds.
Ms Hinds accused Sullivan of working to hide the data breach from the US regulator, the Federal Trade Commission (FTC), adding that he “took steps to prevent the hackers from getting caught”.
At the time, the FTC was already investigating Uber following a hack in 2014.
When it was hacked again, the attackers emailed Sullivan, telling him they had stolen a large amount of data that they would delete for a ransom, according to the US Department of Justice (DOJ).
Sullivan officials confirmed that data, including about 57 million Uber user records and 600,000 driver’s license numbers, had been stolen.
According to the Justice Department, Sullivan arranged for the hackers to pay $100,000 (£89,000) in bitcoin in exchange for them signing non-disclosure agreements to keep the hack secret.
The hackers were paid in December 2016 despite refusing to reveal their real names.
The payment was disguised as a “bug bounty,” a reward paid to cybersecurity researchers who uncover vulnerabilities so they can be fixed.
The Washington Post reported that the process allowed Uber to gather leads on the two hackers. The law firm finally identified the couple – both have since been convicted of felonies – in January 2017 and asked them to sign new agreements on their own behalf.
This belief has sent shivers down the spines of many cybersecurity executives.
With organized ransomware gangs, government-backed hacking teams, and anarchist kids targeting corporations, being a chief information security officer is already a daunting task.
Sullivan’s personal condemnation of a decision made on his employer’s behalf sets a frightening precedent, some say.
For observers, the crimes committed by Sullivan in 2016 read as strange, even by today’s standards.
Negotiating with hackers and paying them to keep quiet is now done literally every day by companies hit by ransomware gangs.
The main difference, according to the jury, is that Sullivan tried to cover it up.
Giving cybercriminals what they want isn’t as serious as it used to be, but businesses then as now always need to be transparent about how they respond to cyber incidents that affect them and their customers.
The DOJ said that Sullivan “orchestrated these acts knowing that the hackers were hacking and blackmailing other companies as well as Uber, and that the hackers had obtained data from at least some of those other companies.”
A new management team at Uber eventually reported the violation to the FTC in 2017 after conducting its own investigation.
In 2018, Uber paid US states $148 million to settle claims that it was too slow to uncover the hack.
The verdict came as a surprise to many working in computer security. At the time, Sullivan reportedly informed some senior Uber employees about the threat.
The court also heard that internal legal advice had suggested there was no need to disclose the hack if the attackers were identified, and agreed to delete the data and not disseminate it further.
In response to the verdict, Dr. Ilia Kolochenko, Founder of ImmuniWeb and member of the Europol Data Protection Experts Network: “The Uber case is just another vivid example of the unfolding global trend of holding cybersecurity executives accountable for their companies. data breaches.
“Serious misconduct, such as the willful concealment of a data breach despite a legal obligation to report it to mitigate the damage, can even result in criminal penalties.”
dr Kolochenko said cybersecurity executives should urgently review whether their employment contracts include issues such as legal fees coverage in the event of a civil suit or criminal prosecution related to their job duties. Contracts should also include a guarantee that their employer will not sue them – as harmed companies might do in security incidents, she added.
Sullivan has not yet been convicted and can appeal the verdict.
Add Comment