Tuesday, October 27, 2020

US DoJ charges Uber ex-security chief with concealing data breach


Uber’s former security chief has been charged with obstruction of justice for trying to hide a data breach from the Federal Trade Commission and Uber management, according to a statement from the Department of Justice.

Joseph Sullivan, who was Uber’s chief security officer from April 2015 to November 2017, allegedly concealed the hack that occurred in October 2016, which exposed confidential data of 57 million drivers and customers, including drivers’ license information. Uber paid the hackers $100,000 in bitcoin to delete the data, according to the Justice Department. (Sullivan was later fired.)

In addition to obstruction of justice, Sullivan is charged with misprision of a felony, meaning he knew of the breach and took steps to conceal it. If convicted, he faces up to five years in prison for the obstruction charge and up to three years for the misprision charge.

Sullivan’s spokesman Bradford Williams said in an email to The Verge that there was “no merit” to the charges against his client, noting Sullivan is “a respected cybersecurity expert and former Assistant U.S. Attorney.”

- Advertisement -

Williams says if not for Sullivan’s efforts and the efforts of Uber’s security team, “it’s likely that the individuals responsible for this incident never would have been identified at all.” He said Sullivan and his team “collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies. Those policies made clear that Uber’s legal department — and not Mr. Sullivan or his group — was responsible for deciding whether, and to whom, the matter should be disclosed.”

The hack occurred during an investigation into a 2014 breach, and Sullivan was helping authorities with that investigation when two hackers contacted him and demanded a six-figure payment to keep the hack quiet, the Justice Department says.

“Rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC,” according to the Justice Department.

According to the charges, Sullivan tried to pay the hackers via a bug bounty program, paying the $100,000 even though the company didn’t know who the hackers were. Sullivan tried to get the hackers to sign nondisclosure agreements, which stated that the hackers didn’t take or store any of the user and driver data.

- Advertisement -

In the criminal complaint, filed in the Northern District of California, the FBI details some of the steps Sullivan allegedly took once he realized drivers’ license information could have been involved in the hack. “At approximately 1:00am Pacific time on November 15, 2016, Sullivan reached out to Uber’s then-CEO [Travis Kalanick] via text message,” the complaint states, adding that call records show that Sullivan and Kalanick had a call that lasted about five minutes. “The CEO’s response reflects that the prospect of treating the incident under the bug bounty program was already being discussed,” the complaint states.

Once Uber staff identified the hackers, Sullivan had them sign new copies of the NDA agreements. Uber management discovered what was happening and disclosed the breach. According to the criminal complaint, the terms of Uber’s bug bounty program “did not authorize rewarding a hacker who had accessed and obtained personally identifiable information of users and drivers from Uber-controlled systems.”

Since November 2016, Uber has been cooperating with the government in the investigation, according to the Department of Justice statement.

“We continue to cooperate fully with the Department of Justice’s investigation,” an Uber spokesperson said in a statement emailed to The Verge on Thursday. “Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability.”


Beam Suntory Inc. fined $19.6 million in foreign bribery case

Beam Suntory Inc. (Beam), a Chicago-based company that produces and sells distilled beverages, has agreed to pay a criminal monetary penalty of $19,572,885 to...

Julius Baer to deny two former CEOs their bonuses over money laundering scandal

Julius Baer will withhold millions of francs in bonuses from its former chief executives Boris Collardi and Bernhard Hodler, as a result of a...

Goldman Sachs executives to cover part payments of $3 billion fines in 1MDB scandal

Nine current or former Goldman Sachs executives, including CEO David Solomon, will have to pay back hundreds of millions of dollars in compensation over...

Goldman Sachs agrees $3 billion settlement with US DoJ over 1MDB corruption scandal

Goldman Sachs has agreed to pay nearly $3bn (£2.3bn) in the US to end a probe of its role in Malaysia's 1MDB corruption scandal. The...

Hong Kong fines Goldman Sachs $350 million over 1MDB scandal

Goldman Sachs ignored multiple red flags over the multibillion-dollar fundraisings it arranged for state fund 1Malaysia Development Berhad, Hong Kong’s financial regulator said on...

Subscribe For More

Get our daily notification on the latest financial crimes news around the World


Latest News

This Week

UK regulators fine Goldman Sachs £97 million over 1MDB scandal

Goldman Sachs International has been fined £96.6m by UK regulators for risk management failures connected to the 1MDB scandal. The Financial Conduct Authority and Prudential...

Berkshire Hathaway to pay $4.1m to settle Iran sanctions violation

Berkshire Hathaway Inc. has agreed to pay roughly $4.1 million to settle allegations that a Turkish subsidiary violated U.S. sanctions on Iran. The U.S. Treasury Department on...

EU takes legal action against Cyprus and Malta over investment for citizenship scheme

The European Union’s executive said on Tuesday it was launching legal action against Cyprus and Malta over their investor citizenship programmes, also known as...

Former Harris County deputy constable pleads guilty to transporting drug money and heroin

A former Harris County deputy constable and her husband pleaded guilty Wednesday to charges of conspiracy to possess with intent to distribute heroin, according...

Adblock Detected!

Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by whitelisting our website.

Enable Notifications    Ok No thanks