Former Uber Security Chief Convicted

Uploaded on 2022-10-21 in GOVERNMENT-Law Enforcement, FREE TO VIEW, BUSINESS-Services-Transport & Travel

With organised ransomware gangs, government-backed hacking teams and anarchist kids targeting companies, being a chief information security officer is already a daunting job.

The verdict ended a dramatic case that pitted Joe Sullivan, a prominent security expert who was an early prosecutor of cyber crimes for the San Francisco US attorney’s office, against his former government office.

In between prosecuting hackers and being prosecuted, Sullivan served as the top security executive at Facebook, Uber and Cloudflare.

Now, a jury in San Francisco found Joe Sullivan, who was fired from Uber in 2017, guilty of obstruction of justice and concealing a felony.

At the time, prosecutors alleged he arranged to pay the hackers $100,000 (£87,964) in bitcoin and had them sign nondisclosure agreements that falsely stated they had not stolen data. Increasingly, companies negotiate with ransomware hackers. But investigators said they must "do the right thing" when their systems are breached.

The conviction is a dramatic reversal for Sullivan, who had at one point in his career prosecuted cyber-related crime for the San Francisco US attorney's office.

After Sullivan's conviction his lawyer, David Angeli, said "Mr Sullivan's sole focus, in this incident and throughout his distinguished career, has been ensuring the safety of people's personal data on the internet," said The Washington Post.

But prosecutors said the case was a warning to companies. “Technology companies in the Northern District of California collect and store vast amounts of data from users... We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers," the US attorney Stephanie  Hinds said. 

Ms. Hinds accused Sullivan of working to hide the data breach from US regulator the Federal Trade Commission (FTC), adding he "took steps to prevent the hackers from being caught".

At the time, the FTC was already investigating Uber following a 2014 hack. When it was hacked again, the attackers emailed Sullivan and told him they had stolen a large amount of data, which they would delete in return for a ransom, according to the US Department of Justice (DOJ) .

Staff working for Sullivan confirmed that data, including about 57 million Uber users' records and 600,000 driving-licence numbers, had been stolen.

According to the US Dept of Justive (DOJ) Sullivan arranged for the hackers to be paid in bitcoin in exchange for them signing non-disclosure agreements to not reveal the hack to anyone. The hackers were paid in December 2016, even though they had refused to provide their true names. The payment was disguised as a "bug bounty", a reward used to pay cyber-security researchers who disclose vulnerabilities so they can be fixed.

The Washington Post reported that the process enabled Uber to gather clues about the two hackers. The firm eventually identified the pair - both of whom have since been convicted of criminal offences - in January 2017 and required them to sign new agreements in their own names. The two cyber criminals were Brandon Charles Glover and Vasile Mereacre who pleaded guilty in 2019.

Sullivan, who now serves as Cloudflare’s CSO, told a subordinate that information about the breach needed to be “tightly controlled” and that the story outside of the security group was to be that “this investigation does not exist.”

BBC:     Washington Post:     DOJ:     Computing:     Guardian:     Register:    Techcrunch:

You Might Also Read: 

The CISO's Job Is Getting More Complex:

 

« British Spy Chief Warns Of The Threat From China
Russian Hackers Shut Down US State Government Websites »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

NUS-Singtel Cyber Security R&D Lab

NUS-Singtel Cyber Security R&D Lab

NUS-Singtel Cyber Security R&D Lab conducts research into predictive security analytics.

Certification Europe

Certification Europe

Certification Europe (now Amtivo Ireland) is an accredited certification body which provides ISO management system certification, including ISO 27001.

Ionic Security

Ionic Security

Ionic provide a high-assurance data protection and control platform built on strong encryption, fine-grain control and contextual analytics.

MadSec Security

MadSec Security

MadSec Security is a leading consulting company whose expertise are information and cyber security.

Applied Risk

Applied Risk

Applied Risk is an established leader in Industrial Control Systems security, focused on critical infrastructure security and combating security breaches that pose a significant threat.

Trapmine

Trapmine

TRAPMINE is an innovative cybersecurity products company mainly focusing on protecting organizations from Advanced Persistent Threat & Zero-Day attacks.

Quadron Cybersecurity Services

Quadron Cybersecurity Services

Quadron Cybersecurity Services is a specialist in digital security, data and system protection.

M2SYS

M2SYS

M2SYS is a worldwide leader in identification and authentication solutions.

Cyber Gate Defense (CyberGate)

Cyber Gate Defense (CyberGate)

CyberGate is an Emirati establishment founded with an objective to provide cyber security services that would improve the overarching cyber security posture of the UAE.

Netizen

Netizen

Netizen is an award-winning company that develops and leverages innovative solutions to enable a more secure cyberspace for clients in government and commercial markets.

Liminal

Liminal

Liminal is a boutique strategy advisory firm serving digital identity, fintech, and cybersecurity clients, and the private equity / venture capital community.

Valeo Networks

Valeo Networks

Valeo Networks is a full-service Managed Security Service Provider (MSSP). We partner with organizations to remove the burden of technology so that they can focus on growing their business.

Beetles Cyber Security

Beetles Cyber Security

Beetles is a crowdsourced penetration testing platform designed to build a trusted, hacker-centric approach to protectan organization’s digital attack surface.

SecureWeb3

SecureWeb3

SecureWeb3 helps businesses and brands to secure their Web3 presence by offering a full suite of security services including training, consultancy & brand protection solutions.

ThreatView by Turaco Labs

ThreatView by Turaco Labs

ThreatView combines extensive experience in digital forensics with advanced analytics and threat detection capabilities to protect eCommerce websites.

Cribl

Cribl

Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy.