[ad_1]
OAKLAND, Calif .– The former Uber security chief was accused on Thursday of trying to cover up a hack from federal investigators that revealed the email addresses and phone numbers of 57 million drivers and passengers .
The criminal charges filed in U.S. District Court in San Francisco against Joe Sullivan, 52, are believed to be the first against an executive stemming from a company’s response to a security incident.
But the accusations made an important distinction between failing to protect Uber’s computer network and not informing authorities. Prosecutors said Sullivan committed two crimes when he failed to disclose the 2016 incident to federal investigators who were already investigating a similar data breach that had occurred two years earlier.
“When a company like Uber is hacked, we expect good corporate citizenship, we expect prompt disclosure to employees and consumers who are victims of that hack. In this case, what we saw was the exact opposite of good corporate behavior, ”David Anderson, the US lawyer in San Francisco, said in an interview.
If convicted of both counts, Mr. Sullivan faces up to eight years in prison. He is the second Uber employee to face federal charges related to his work at Uber, which for years cultivated a reputation for pushing legal boundaries by establishing itself as the leading rideshare company. Anthony Levandowski, a former Uber engineer, was sentenced last month to 18 months in prison for stealing self-driving car trade secrets from Google.
Mr. Sullivan became Uber’s chief security officer in 2015 after leading cybersecurity efforts on Facebook. He led the transport company’s security work until his dismissal in 2017, when his handling of the data breach, which also revealed the license numbers of around 600,000 drivers, was discovered by the new general manager of Uber.
A spokesperson for Mr Sullivan, who is now the chief information security officer of internet company Cloudflare, said Mr Sullivan acted with the approval of Uber’s legal department and the charges against him against him were unfounded.
“Without the efforts of Mr. Sullivan and his team, it is likely that those responsible for this incident would never have been identified at all,” said Bradford Williams, the spokesperson. He added that “Uber’s legal department – not Mr. Sullivan or his group – was responsible for deciding whether, and to whom, the case should be disclosed.”
In a 2018 statement on the breach, Mr Sullivan said: “I was surprised and disappointed when those who wanted to portray Uber in a negative light quickly suggested it was a cover-up.
In 2016, hackers discovered a way to access Uber’s user data and quickly stole a copy. Uber found out when the hackers emailed the company and said they had acquired users’ personal information. They demanded money. Mr. Sullivan and other Uber employees negotiated a payment of $ 100,000 and convinced the hackers to sign non-disclosure agreements.
Mr. Sullivan was “visibly shocked” when he learned of the hack and told others he “couldn’t believe they had let another breach happen and the team needed to make sure the word of the violation did not come out, ”according to court documents.
At the time, the Federal Trade Commission was investigating Uber in a similar data breach that had occurred two years earlier. But even though he was aware of the FTC investigation and spoke under oath with investigators, Mr. Sullivan did not notify FTC officials of the 2016 hack, prosecutors said. He also kept information about the incident with Uber employees who were responsible for communicating with the FTC about the previous incident, according to court documents.
Uber attempted to handle the incident quietly through its so-called bug bounty program. Tech companies often pay bounties to security researchers who discover and report flaws in their software. But bug bounty experts wondered if the payment Uber made to hackers fell within the ethical limits of these programs, designed to trick people into reporting security breaches so they can be fixed.
In October, Brandon Glover, a resident of Florida, and Vasile Mereacre, a Canadian national, pleaded guilty to hacking. They could each face a maximum of five years in federal prison and are expected to be sentenced next year.
Uber only disclosed the breach in 2017, after its former chief executive, Travis Kalanick, was ousted by investors and replaced by Dara Khosrowshahi, the current Uber chief.
Mr. Sullivan and Mr. Levandowski, the former engineer convicted of theft of trade secrets, were close to Mr. Kalanick. On the night Mr. Sullivan learned of the violation, Mr. Kalanick texted him: “Resources may be flexible to put this to bed, but we need to document this very closely,” according to court documents.
Mr Khosrowshahi fired Mr Sullivan and Uber’s legal director of security and law enforcement Craig Clark, who had helped oversee the response to the security incident.
“We continue to cooperate fully with the Justice Department investigation,” said Matt Kallman, a spokesperson for Uber. “Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we run our business today: transparency, integrity and accountability.
The criminal charges against Mr Sullivan are the latest in a series of legal tangles stemming from the 2016 violation.
In 2018, the FTC expanded on an earlier deal it had made with the company. Uber also paid $ 148 million to settle a hacking investigation brought by several attorneys general. Uber has also been fined around $ 1.2 million by UK and Dutch regulators in connection with the violation.
“Uber’s decision to cover up this breach was a flagrant breach of public trust,” Xavier Becerra, California Attorney General, said in a statement after finalizing the 2018 settlement.
Businesses often face government investigations after their systems are hacked, and civil penalties against businesses that do not promptly disclose such incidents are common.
But legal experts have said that criminal prosecutions against companies or their executives related to handling a violation are generally peripheral to the actual incident.
Two Equifax executives have been convicted of insider trading after using their knowledge of a 2017 breach at the consumer credit reporting agency to sell their shares in the company. One was sentenced to four months in prison, while another was sentenced to eight months of house arrest.
In 2018, Yahoo fined the Securities and Exchange Commission $ 35 million after failing to disclose a 2014 data breach. The Department of Justice also investigated Yahoo’s non-disclosure, but did not brought no charges.
[ad_2]
Source link