Uber’s Ex-CSO Accused Of A Cover Up
Uber's former Chief Security Officer (CSO) Joseph Sullivan has been charged with obstruction of justice and stands accused of trying to cover up a data breach in 2016 that exposed the details of 57 million Uber drivers and passengers.
The company has previously admitted to paying a group of hackers a $100,000 (£75,000) ransom to delete the data they had stolen. A criminal complaint has also been filed against Sullivan preventing justice being done regarding hiding the hacking attack Uber Technology suffered.
In addition to hiding the attack, he is charged with intentionally preventing information about the attack from reaching the US Federal Trade Commission (FTC). The payment was disguised as a "bug bounty" reward, used to pay cyber-security researchers who disclose vulnerabilities so they can be fixed. The charges allege that he asked the hackers to sign non-disclosure agreements, falsely stating they had not stolen any Uber data.
Mr Sullivan was subsequently fired form his job at Uber in 2017 when the data breach was finally revealed.
Mr Sullivan denies the charges and is currently employed as chief information security officer at leading cybersecurity firm Cloudflare. The current CEO of Uber, Dara Khosrowshahi disclosed the data breach in 2017 after taking over from his controversial predecessor, Travis Kalanick, who is no longer connected with Uber.
The the company eventually paid $148m to settle legal claims by all 50 US states and Washington DC.
It was stated that Sullivan, who worked as a security manager at Uber between 2015 and 2017, was secretly contacted by hackers via e-mail, and the attackers were informed that Sullivan issued the payment. It was reported that the hackers had access to information belonging to 57 million Uber users and employees, including the driver’s license numbers of 600 thousand people. It is alleged that Sullivan knowingly and willingly tried to hide all these events from the Federal Trade Commission.
Many large companies have open bug bounty schemes that invite hackers, under strict conditions, to test their computer systems for flaws. If they find one, they get paid and the company can fix it without needing to alert the authorities.
US Dept. of Justice: Forbes: Bloomberg: BBC: SOMAG News:
You Might Also Read:
How Can Boardrooms Effectively Manage Cyber Risk?: