Joe Sullivan, former head of security at Uber , was found guilty of concealing a cyberattack that affected the personal information of 57 million users and 7 million drivers of the mobility platform in 2016.
According to The New York Times, the jury convicted Sullivan of obstructing justice by not disclosing the violation to the Federal Trade Commission (FTC) and of concealment error, that is, concealing a serious crime. to the authorities.
The problem was a ransomware attack that originated on the Github platform, where the attackers found credentials that gave them access to Uber’s storage on Amazon Web Services. That was how they accessed their database and downloaded backups.
Subsequently, the hackers demanded a ransom for the information, which Uber agreed to through a payment of $100,000 in Bitcoin, which was registered as part of the company’s Bug Bounty program.
The information that was stolen included names, email addresses, phone numbers of users and drivers, as well as the driver’s license numbers of 600,000 drivers.
Sullivan covered up the attack to protect Uber
According to information presented by US authorities, Sullivan shared details of the attack, as well as the ransom payment, with then-Uber CEO Travis Kalanick.
According to prosecutors’ evidence reported by Bloomberg, Sullivan did not disclose the breach to protect his reputation, since when he joined the company in 2015, he had allegedly improved the company’s security.
Sullivan’s lawyers said his actions were aimed at preventing a data leak, and he got the attackers to sign non-disclosure agreements promising not to leak the information.
“Sullivan’s sole focus, in this incident and throughout his distinguished career, has been to ensure the security of people’s data on the internet,” Sullivan’s attorney, David Angeli, told the NYT. However, for this case, Sullivan could face up to eight years in prison. However, he is likely to have a much shorter sentence.
It is worth mentioning that when Dara Khorosrowshahi became the CEO of Uber, he was aware of the problem, although not of its true scope. Despite this, he publicly admitted the infraction, fired Sullivan and paid 148 million in civil litigation until the case was resolved in July of this year.
Likewise, it reached an agreement with the FTC to establish a privacy program for the next 20 years, in addition to reporting any incident related to “unauthorized intrusion into user information”, such as the one suffered a few months ago by by Lapsus$.
