Joe Sullivan, Uber’s former Chief Security Officer (CSO), has been found guilty and sentenced by a US federal judge for covering up a data breach that affected the personal records of 57 million passengers and drivers. Sullivan, who previously worked as a security chief at Facebook, was in charge of security at the ride-sharing firm when the breach occurred in October 2016. The stolen data included names, email addresses, and phone numbers of customers and drivers.
Data breach and cover-up
Careless developers at Uber left their login credentials for an Amazon Web Services (AWS) bucket used by the company in a GitHub repository. After hackers stole data from the AWS bucket, they contacted Uber and demanded money. Sullivan made several unusual decisions for a CSO dealing with a data breach:
- He did not warn affected individuals that their data had been stolen.
- He did not inform regulators or authorities about the breach.
- He chose to cover up the hack and secretly visited the hackers, paying them $100,000 to sign a confidentiality agreement ensuring the breach would remain undisclosed.
The payment to the hackers was disguised as a bug bounty program payout in exchange for their silence.
Ex-Uber CSO’s actions and sentencing
Prosecutors alleged that Sullivan’s ego led him to cover up the security failure to protect his own image and prevent drivers from defecting to Uber’s competitors. They claimed that Uber drivers were “defrauded” as they continued to share a portion of their fares with the company.
Sullivan, a former federal prosecutor who later became Cloudflare’s CISO, was warned that he could face years in prison if convicted. However, last week he received a three-year probation sentence, avoiding prison time.
Federal Judge William Orrick for the Northern District of California told Sullivan that he “got a break” due to the unusual nature of the case, and not because of his actions or character. Orrick advised Sullivan to share this experience with his peers in the cybersecurity industry, stressing that others might not be as fortunate in similar circumstances.
{{user}} {{datetime}}
{{text}}