U.S. charges former Uber security chief with covering up
massive 2016 hacking
Send a link to a friend
 [August 21, 2020] By
Joseph Menn and Jonathan Stempel
WASHINGTON (Reuters) - In an unprecedented
case, a former chief security officer for Uber Technologies was
criminally charged on Thursday with trying to cover up a 2016 hacking
that exposed personal information of about 57 million of the
ride-hailing company's customers and drivers.
The U.S. Department of Justice charged Joseph Sullivan, 52, with felony
obstruction of justice, saying he took "deliberate steps" to keep the
Federal Trade Commission from learning about the hack while the agency
was monitoring Uber security in the wake of an earlier breach.
The case was believed to be first time a corporate information security
officer has been charged with concealing a hack.
Sullivan, himself a former federal prosecutor, arranged to pay the
hackers $100,000 under Uber’s program for rewarding security researchers
who report flaws. That amount was by far the most Uber had paid through
the bounty program, which was not meant to cover theft of sensitive
data.
A former chief of security at Facebook, Sullivan now works as chief
information security officer at Cloudflare.
In past interviews, security staff said the Uber payout was intended to
force the hackers into the open to accept the money and to ensure that
the data, especially driver’s license information on Uber contractors,
was destroyed.
The complaint says Sullivan had the hackers sign non-disclosure
agreements that falsely stated they had not stolen data. It alleges that
then-CEO Travis Kalanick was aware of Sullivan’s actions.
A spokeswoman for Kalanick declined to comment. A spokesman for Sullivan
said that the charges had no merit, that Sullivan had worked with his
colleagues on the case and that disclosure matters were decided by the
legal department.
[to top of second column] |
Uber's logo is pictured at its office in Bogota, Colombia, December
12, 2019. REUTERS/Luisa Gonzalez/File Photo
“If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the
individuals responsible for this incident never would have been identified at
all,” said spokesman Brad Williams.
Kalanick’s successor as CEO -- current Uber chief Dara Khosrowshahi -- disclosed
the payoff, then fired Sullivan and a deputy after learning the extent of the
breach. Uber then paid $148 million to settle claims by all 50 U.S. states and
Washington, D.C. that it had been to slow to reveal the hack.
The Uber case will resonate for the increasing number of companies that deal
directly with hackers.
Many have bounty programs like Uber’s, which are generally seen as a tool to
improve security and provide an incentive for hackers to stay within the law.
But some participants do not play by the rules.
In the Uber case, the FBI noted, the two main hackers went on to attack other
companies, which the agency said could have been averted if Sullivan had gone
first to law enforcement. Both have pleaded guilty and are awaiting sentencing.
The case also suggests that companies that pay hackers to get rid of ransomware,
malicious programs that encrypt their files, are not exempt from requirements to
report losses of personally sensitive information.
(Reporting by Jonathan Stempel in New York and Eric Beech in Washington, D.C.;
Editing by Mohammad Zargham, Aurora Ellis and Cynthia Osterman)
[© 2020 Thomson Reuters. All rights
reserved.] Copyright 2020 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
