SAN FRANCISCO – The ex-chief safety officer of Uber Applied sciences Inc. has been convicted of overlaying up a 2016 information breach involving 57 million of the San Francisco-based ride-hailing firm’s customers, in keeping with the U.S. Legal professional’s Workplace.
A jury on Wednesday discovered Joseph Sullivan responsible of obstruction of justice and misprision of felony, or having data that a federal felony was dedicated and taking steps to hide that crime, prosecutors mentioned in an announcement. He faces as much as 5 years for the obstruction cost and as much as three years for the misprision cost.
In accordance with the U.S. Legal professional’s Workplace, Sullivan was employed as Uber’s chief safety officer in April 2015. The corporate on the time had lately disclosed to the Federal Commerce Fee that it had been the sufferer of a knowledge breach in 2014. The breach associated to the unauthorized entry of fifty,000 clients’ private data.
The FTC subsequently opened an investigation into Uber’s information safety program and practices. In Might 2015, a month after Sullivan was employed, the FTC served the corporate with a requirement for details about every other cases of unauthorized entry to consumer private data in addition to data concerning its broader information safety program and practices.
Prosecutors mentioned Sullivan performed a key position in Uber’s response to the FTC – he supervised its responses to the FTC, participated in a presentation to the FTC in March 2016 and testified underneath oath on Nov. 6, 2016, concerning the corporate’s practices.
Ten days after he testified, Sullivan realized that Uber had been hacked once more. The hackers reached out to Sullivan straight by way of e mail on Nov. 14, 2016, and knowledgeable him and others on the firm that they'd stolen consumer information, in keeping with the U.S. Legal professional’s Workplace. The hackers additionally reportedly demanded a ransom to delete that information.
All advised, the breach concerned 57 million Uber customers and 600,000 driver license numbers.
Prosecutors mentioned Sullivan didn't report the brand new information breach to the FTC, different authorities or customers; he as a substitute organized to repay the hackers in trade for them signing non-disclosure agreements wherein they promised to not reveal the hack to anybody. The NDAs additionally reportedly contained the false illustration that the hackers didn't take or retailer any information within the hack. In December 2016, the corporate paid the hackers $100,000 in bitcoin regardless of their refusal to offer their true names.
Uber recognized two of the hackers in January 2017 and made them signal new copies of the NDAs of their true names. In accordance with the U.S. Legal professional’s Workplace, Sullivan carried out the plan regardless of figuring out that the hackers had been hacking and extorting different firms and that the hackers had obtained information from a few of them.
“Expertise firms within the Northern District of California gather and retailer huge quantities of knowledge from customers,” U.S. Legal professional Stephanie M. Hinds mentioned within the assertion. “We anticipate these firms to guard that information and to alert clients and acceptable authorities when such information is stolen by hackers.
“Sullivan affirmatively labored to cover the info breach from the Federal Commerce Fee and took steps to forestall the hackers from being caught,” Hinds continued. “We is not going to tolerate concealment of essential data from the general public by company executives extra enthusiastic about defending their fame and that of their employers than in defending customers. The place such conduct violates the federal regulation, it is going to be prosecuted.”
In fall 2017, new administration at Uber launched an investigation into the 2016 information breach. Prosecutors mentioned Sullivan falsely advised the CEO that the hackers had been paid solely after they had been recognized. He additionally reportedly altered a report back to downplay the severity of the breach and lied to attorneys introduced in to conduct the probe.
The 2016 information breach was in the end found and publicly disclosed by Uber in November 2017.
Along with Sullivan, the 2 hackers recognized by Uber had been prosecuted. On Oct. 30, 2019, they pleaded responsible to laptop fraud conspiracy costs and await sentencing.
Sullivan, in the meantime, stays free on bond pending a sentencing listening to, which has not been scheduled.
Examine again for updates.