Former Uber Security Chief Convicted

With organised ransomware gangs, government-backed hacking teams and anarchist kids targeting companies, being a chief information security officer is already a daunting job.

The verdict ended a dramatic case that pitted Joe Sullivan, a prominent security expert who was an early prosecutor of cyber crimes for the San Francisco US attorney’s office, against his former government office.

In between prosecuting hackers and being prosecuted, Sullivan served as the top security executive at Facebook, Uber and Cloudflare.

Now, a jury in San Francisco found Joe Sullivan, who was fired from Uber in 2017, guilty of obstruction of justice and concealing a felony.

At the time, prosecutors alleged he arranged to pay the hackers $100,000 (£87,964) in bitcoin and had them sign nondisclosure agreements that falsely stated they had not stolen data. Increasingly, companies negotiate with ransomware hackers. But investigators said they must "do the right thing" when their systems are breached.

The conviction is a dramatic reversal for Sullivan, who had at one point in his career prosecuted cyber-related crime for the San Francisco US attorney's office.

After Sullivan's conviction his lawyer, David Angeli, said "Mr Sullivan's sole focus, in this incident and throughout his distinguished career, has been ensuring the safety of people's personal data on the internet," said The Washington Post.

But prosecutors said the case was a warning to companies. “Technology companies in the Northern District of California collect and store vast amounts of data from users... We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers," the US attorney Stephanie  Hinds said. 

Ms. Hinds accused Sullivan of working to hide the data breach from US regulator the Federal Trade Commission (FTC), adding he "took steps to prevent the hackers from being caught".

At the time, the FTC was already investigating Uber following a 2014 hack. When it was hacked again, the attackers emailed Sullivan and told him they had stolen a large amount of data, which they would delete in return for a ransom, according to the US Department of Justice (DOJ) .

Staff working for Sullivan confirmed that data, including about 57 million Uber users' records and 600,000 driving-licence numbers, had been stolen.

According to the US Dept of Justive (DOJ) Sullivan arranged for the hackers to be paid in bitcoin in exchange for them signing non-disclosure agreements to not reveal the hack to anyone. The hackers were paid in December 2016, even though they had refused to provide their true names. The payment was disguised as a "bug bounty", a reward used to pay cyber-security researchers who disclose vulnerabilities so they can be fixed.

The Washington Post reported that the process enabled Uber to gather clues about the two hackers. The firm eventually identified the pair - both of whom have since been convicted of criminal offences - in January 2017 and required them to sign new agreements in their own names. The two cyber criminals were Brandon Charles Glover and Vasile Mereacre who pleaded guilty in 2019.

Sullivan, who now serves as Cloudflare’s CSO, told a subordinate that information about the breach needed to be “tightly controlled” and that the story outside of the security group was to be that “this investigation does not exist.”

BBC:     Washington Post:     DOJ:     Computing:     Guardian:     Register:    Techcrunch:

You Might Also Read: 

The CISO's Job Is Getting More Complex:

 

« British Spy Chief Warns Of The Threat From China
Russian Hackers Shut Down US State Government Websites »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Jscrambler

Jscrambler

Jscrambler addresses all your JavaScript and Web application protection needs.

Viavi Solutions

Viavi Solutions

Viavi Solutions is a global leader in both network and service enablement and optical security performance products and solutions.

Zerocopter

Zerocopter

Zerocopter enables you to confidently leverage the skills of the world's most knowledgable ethical hackers to secure your applications.

PureCyber

PureCyber

PureCyber (formerly Wolfberry Cyber) is an award-winning cyber security consultancy whose goal it is to make cyber security accessible, understandable, and affordable for any organisation.

Granted Consultancy

Granted Consultancy

Granted Consultancy is a business consultancy that specialises in securing funding to support companies with the development and commercialisation of new and innovative products and technologies.

DeFY Security

DeFY Security

DeFY Security is a Cyber Security solutions provider with more than 20 years of experience securing financial institutions, healthcare, manufacturing and retail.

Grip Security

Grip Security

Grip Security provides comprehensive visibility, governance and data security to help enterprises effortlessly secure a burgeoning and chaotic SaaS ecosystem.

ArmorCode

ArmorCode

ArmorCode's intelligent application security platform gives us unified visibility into AppSec postures and automates complex DevSecOps workflows.

Toka Group

Toka Group

Toka empowers government agencies with critical and previously out-of-reach digital forensics, force protection and Intelligence capabilities, tackling the fields' most pressing challenges.

Sourcepass

Sourcepass

Sourcepass is an IT consulting company that focuses on providing expert IT services, cloud computing solutions, cybersecurity services, website, and application development.

SoftwareONE

SoftwareONE

SoftwareONE is a leading global provider of end-to-end software and cloud technology solutions.

Avint

Avint

Avint delivers transformational cybersecurity solutions that help both commercial and government entities achieve mission success.

AgilePQ

AgilePQ

AgilePQ visibly secures IoT devices worldwide to protect the privacy, safety, and well-being of all people.

CUBE3 AI

CUBE3 AI

CUBE3.AI is a web3 security platform that provides real-time transaction protection for smart contracts, safeguarding against cyber exploits, fraud, and compliance risks.

SOCRadar

SOCRadar

SOCRadar is an Extended Threat Intelligence (XTI) SaaS platform that combines External Attack Surface Management (EASM), Digital Risk Protection Services (DRPS), and Cyber Threat Intelligence (CTI).

Security4Media

Security4Media

Security4Media is a non-profit association set up to reduce risks and support trust in media, in the face of increasing cybersecurity threat levels.