Uber’s former chief security officer, Joe Sullivan, was very recently charged by the federal prosecutors in the United States for covering up an enormous data breach that the company had endured in 2016.
Sullivan “took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the breach” that additionally included paying hackers $100,000 ransom to keep the incident a secret, according to the press release published by the U.S. Department of Justice.
It said, “A criminal complaint was filed today in federal court charging Joseph Sullivan with obstruction of justice and misprision of a felony in connection with the attempted cover-up of the 2016 hack of Uber Technologies.”
The 2016 Uber’s data breach exposed names, email addresses, phone numbers of 57 million Uber riders and drivers, and driving license numbers of around 600,000 drivers.
The company revealed this data out in the open almost a year later in 2017, following Sullivan’s exit from Uber in November.
Later it was reported for, that two hackers, Brandon Charles Glover of Florida and Vasile Mereacre of Toronto, were the ones responsible for the incident and were the ones to whom Sullivan ‘approved’ paying cash in return for the promises to delete information of the clients that they had stolen.
The problem initially began when Sullivan, as a representative for Uber, in 2016 was reacting to FTC inquiries with respect to a previous data breach incident in 2014, and at the same time, Brandon and Vasile reached him in regards to the new data breach.
“On November 14, 2016, approximately 10 days after providing his testimony to the FTC, Sullivan received an email from a hacker informing him that Uber had been breached again and his team was able to confirm the breach within 24 hours of his receipt of the email. Rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC.”
As indicated by court archives, the ransom amount was paid through a bug bounty program trying to document the blackmailing payment as ‘bounty’ for white-hat hackers who highlight the security issues however have not compromised information.
The federal prosecutors said, “After Uber personnel were able to identify two of the individuals responsible for the breach, Sullivan arranged for the hackers to sign fresh copies of the non-disclosure agreements in their true names. The new agreements retained the false condition that no data had been obtained. Uber’s new management ultimately discovered the truth and disclosed the breach publicly, and to the FTC, in November 2017.”
However just last year, the two hackers were pleaded guilty to a few counts of charges for hacking and blackmailing Uber, LinkedIn, and various other U.S. corporations. In 2018, English and Dutch data protection regulators had likewise fined Uber with $1.1 million for neglecting to secure its clients’ personal data during a 2016 cyber-attack.
As of now, if Sullivan is found guilty of cover-up charges, he could expect at least eight years in prison along with potential fines of up to $500,000.