Former Uber security chief found guilty of covering huge hack which led to breach of millions of personal records
Niamh Spence
Featured Image Credit: Julio Cortez/AP/Shutterstock/EThamPhoto/Alamy Stock Photo
Uber's former security chief Joseph Sullivan has been found guilty for attempting to cover up a data breach in 2016 that affected millions of customers' records.
Sullivan, who stopped working for Uber in 2017, was found guilty of obstructing justice and concealing knowledge that a federal felony had been committed. He has not yet been sentenced but faces a potential eight-year stretch in prison, according to prosecutors.
US Attorney Stephanie M. Hinds said in a statement: "Technology companies in the Northern District of California collect and store vast amounts of data from users.
Advert
"We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users."
The conviction concerns a data breach in 2016, after Sullivan was emailed by hackers while employed as Uber's chief security officer. Employees confirmed hackers had stolen the records of approximately 57 million users and also 600,000 driver's license numbers.
The hacker reportedly posed as an employee to gain access before tricking another into sharing their Uber credentials. Screenshots shared by the hacker confirmed they had accessed the company's cloud-based systems, where Uber's customer and financial data is stored.
It's reported that after Sullivan was made aware of the breach, he then began a scheme to hide the breach from going public. As a result he also attempted to hide it from the Federal Trade Commission, which is a felony. The FTC were already investigating an earlier hack from 2014.
However, Mr Sullivan's lawyer David Angeli strongly denied the cover up when he spoke to the New York Times: "Mr. Sullivan’s sole focus – in this incident and throughout his distinguished career – has been ensuring the safety of people’s personal data on the internet."
According to the US attorney's office, Sullivan told employees at Uber that 'the story outside of the security group was to be that ‘this investigation does not exist'.'
As part of the attempts to cover up the breach, Sullivan also arranged to pay the hackers $100,000 in bitcoin in exchange for them signing non-disclosure agreements. Prosecutors also added that he also never made Uber lawyers aware of the breach, despite them already working with the FTC on the 2014 enquiry.
The US attorney's office added: "Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber."
As a result of the breach, Sullivan was fired from Uber alongside one of their lawyers, Craig Clark. As a result of testifying against Sullivan, Clark was given immunity by prosecutors. No other Uber executives or employees have been charged in this case.
UNILAD has reached out to Uber for comment.