Former Uber Security Chief Convicted

Uploaded on 2022-10-21 in GOVERNMENT-Law Enforcement, FREE TO VIEW, BUSINESS-Services-Transport & Travel

With organised ransomware gangs, government-backed hacking teams and anarchist kids targeting companies, being a chief information security officer is already a daunting job.

The verdict ended a dramatic case that pitted Joe Sullivan, a prominent security expert who was an early prosecutor of cyber crimes for the San Francisco US attorney’s office, against his former government office.

In between prosecuting hackers and being prosecuted, Sullivan served as the top security executive at Facebook, Uber and Cloudflare.

Now, a jury in San Francisco found Joe Sullivan, who was fired from Uber in 2017, guilty of obstruction of justice and concealing a felony.

At the time, prosecutors alleged he arranged to pay the hackers $100,000 (£87,964) in bitcoin and had them sign nondisclosure agreements that falsely stated they had not stolen data. Increasingly, companies negotiate with ransomware hackers. But investigators said they must "do the right thing" when their systems are breached.

The conviction is a dramatic reversal for Sullivan, who had at one point in his career prosecuted cyber-related crime for the San Francisco US attorney's office.

After Sullivan's conviction his lawyer, David Angeli, said "Mr Sullivan's sole focus, in this incident and throughout his distinguished career, has been ensuring the safety of people's personal data on the internet," said The Washington Post.

But prosecutors said the case was a warning to companies. “Technology companies in the Northern District of California collect and store vast amounts of data from users... We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers," the US attorney Stephanie  Hinds said. 

Ms. Hinds accused Sullivan of working to hide the data breach from US regulator the Federal Trade Commission (FTC), adding he "took steps to prevent the hackers from being caught".

At the time, the FTC was already investigating Uber following a 2014 hack. When it was hacked again, the attackers emailed Sullivan and told him they had stolen a large amount of data, which they would delete in return for a ransom, according to the US Department of Justice (DOJ) .

Staff working for Sullivan confirmed that data, including about 57 million Uber users' records and 600,000 driving-licence numbers, had been stolen.

According to the US Dept of Justive (DOJ) Sullivan arranged for the hackers to be paid in bitcoin in exchange for them signing non-disclosure agreements to not reveal the hack to anyone. The hackers were paid in December 2016, even though they had refused to provide their true names. The payment was disguised as a "bug bounty", a reward used to pay cyber-security researchers who disclose vulnerabilities so they can be fixed.

The Washington Post reported that the process enabled Uber to gather clues about the two hackers. The firm eventually identified the pair - both of whom have since been convicted of criminal offences - in January 2017 and required them to sign new agreements in their own names. The two cyber criminals were Brandon Charles Glover and Vasile Mereacre who pleaded guilty in 2019.

Sullivan, who now serves as Cloudflare’s CSO, told a subordinate that information about the breach needed to be “tightly controlled” and that the story outside of the security group was to be that “this investigation does not exist.”

BBC:     Washington Post:     DOJ:     Computing:     Guardian:     Register:    Techcrunch:

You Might Also Read: 

The CISO's Job Is Getting More Complex:

 

« British Spy Chief Warns Of The Threat From China
Russian Hackers Shut Down US State Government Websites »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Tripwire

Tripwire

Tripwire are a leading provider of risk-based security, compliance and vulnerability management solutions.

Quotium

Quotium

Quotium provides automated testing technologies to make business software applications secure and robust.

CyberPolicy

CyberPolicy

CyberPolicy is a cyber protection solution for small businesses. It combines three important components against cyber threats - Cyber Plan, Cybersecurity and Cyber Insurance.

Sift

Sift

The Sift Digital Trust Platform protects your business and customers from all vectors of fraud and abuse through our Live Machine Learning, global trust network and automation technologies.

Physec

Physec

Physec offers innovative security products and solutions for the Internet of Things ecosystem.

ReSec Technologies

ReSec Technologies

ReSec provides total protection against all types of known and unknown malware threats including viruses, Trojans, ransomware and phishing, regardless of their delivery method.

Infigo IS

Infigo IS

INFIGO IS specializes in information security consulting services. Our employees are leading information security experts in Croatia.

Expanse

Expanse

Expanse SaaS-delivered products plus service expertise reduce your internet edge risk to prevent breaches and successful attacks.

Cybertonica

Cybertonica

Cybertonica is a FinTech company which detects and prevents fraudulent transactions and reduces risk for financial services organisations.

Strategic Cyber Ventures (SCV)

Strategic Cyber Ventures (SCV)

SCV grow cybersecurity companies that disrupt advanced cyber adversaries and revolutionize the cyber product marketplace.

MicroAge

MicroAge

Powered by five decades of experience, lasting partnerships, client relationships, and the values that guide us daily, MicroAge is here to help you secure, accelerate, and transform your business.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

LegalByte

LegalByte

LegalByte is a leading provider of comprehensive legal and forensic services dedicated to addressing the complex challenges of the digital age.

Amyna Systems

Amyna Systems

Amyna has developed an IoT cybersecurity platform that prevents malignant attacks, helping users to protect themselves from cyberattacks.

Heyhack

Heyhack

Heyhack is a SOC 2 Type II certified automated penetration testing platform for web apps and APIs.

HP Wolf Security

HP Wolf Security

HP Wolf Security protects your organization and devices from cyberattacks no matter where, when or how you work.