Former Uber safety chief convicted of overlaying up knowledge breach
[ad_1]
Uber’s former head of safety has been convicted of overlaying up a 2016 knowledge breach on the rideshare large, hiding particulars from US regulators and paying off a pair of hackers in return for his or her discretion.
The trial, intently watched in cyber safety circles, is believed to be the primary felony prosecution of an organization govt over the dealing with of a knowledge breach.
Joe Sullivan, who was fired in 2017 over the incident, was discovered responsible on Tuesday by a San Francisco jury of obstructing an investigation by the Federal Commerce Fee. On the time of the 2016 breach, the regulator had been investigating the car-booking service over a special cyber safety lapse that had occurred two years earlier.
Jurors additionally convicted Sullivan of a second depend associated to having data of however failing to report the 2016 breach to the suitable authorities authorities.
The incident finally grew to become public in 2017 when Dara Khosrowshahi, who had simply taken over as chief govt, disclosed particulars of the assault.
Prosecutors mentioned Sullivan had taken steps to verify knowledge compromised within the assault wouldn’t be revealed. In line with courtroom paperwork, two hackers approached Sullivan’s group to inform Uber of a safety flaw that uncovered the private info of virtually 60mn drivers and riders on the platform.
The hackers, certainly one of whom testified in the course of the trial, turned down the corporate’s provide of $10,000 — the utmost payout underneath Uber’s “bug bounty” coverage designed to encourage personal disclosure of safety flaws — and threatened to launch the information if a bigger payment was not paid.
The events negotiated a $100,000 fee, which required signing a non-disclosure settlement and a dedication to delete any person knowledge that had been obtained. The 2 hackers later pleaded responsible to the assault.
Attorneys for Sullivan defended his actions in courtroom, saying he had acted to guard customers and had notified his superiors — together with then-CEO Travis Kalanick — of the information breach.
The end result will ship shockwaves via the cyber safety business, elevating questions over who ought to take duty when damaging breaches happen.
“This verdict is misplaced,” mentioned Katie Moussouris, founder and chief govt of Luta Safety, which specialises in managing “bug bounty” programmes for big organisations. “The function of chief safety officer can not develop into chief sacrificial officer if we wish these roles to be efficient.”
Uber didn’t reply to requests for remark.
“Sullivan affirmatively labored to cover the information breach from the Federal Commerce Fee and took steps to forestall the hackers from being caught,” mentioned Stephanie Hinds, US lawyer for the northern district of California, in a press release.
“We is not going to tolerate concealment of vital info from the general public by company executives extra involved in defending their status and that of their employers than in defending customers,” she added.
Sullivan, a former authorities prosecutor specialising in cyber crime, has beforehand labored at Fb and Cloudflare.
A date for his sentencing has not but been set. He might resist eight years in jail.
Source link