The Former CSO of Uber Sentenced to 5 Years in Prison Over 2017 Data Breach
The former security head of Uber was allegedly involved in criminal stoppage for trying to keep secret a data breach. The reported data breach stole the records of tens of millions of Uber customers and drivers. Moreover, a San Francisco federal jury declared guilty Uber’s former CSO (chief security officer), Joseph Sullivan. He was involved in obstructing justice and concealing knowledge.
On Wednesday, the Department of Justice confirmed that Sullivan committed a federal crime. This case is related to a breach 2016 of Uber’s systems. The breach uncovered the data of 7 million drivers and 50 million customers. The stolen data includes names, phone numbers, email addresses, and 600,000 driver’s license numbers for US drivers.
The data breach incident took place only a few months after Uber hired Sullivan to help boost the company’s cybersecurity. The hiring of Sullivan follows a smaller breach in 2014, in which hackers accessed the personal information of around 50,000 customers. Meanwhile, prosecutors said Sullivan started to hide the 2016 breach from the public and the FTC (Federal Trade Commission).
Sullivan Reportedly Paid $100,000 to Hackers
Moreover, Sullivan was currently serving as the CSO (chief security officer) for Cloudflare. He allegedly informed a subordinate that ensure tight control about the breach information. Sullivan reportedly managed to pay $100,000 to hackers under the cover of a bug bounty program against an agreement. The hackers signed a non-disclosure agreement reassuring them not to release the hack.
However, Uber terminated Sullivan in 2017. The federal prosecutors charged him in 2020 with one count of misprision of a felony and one count of obstructing. His trial reportedly marked the first time a company’s executive experienced criminal charges involving a hack or data breach. The US Attorney Hinds also issued a statement regarding the court’s decision.
Tech Companies Should Protect User’s Data & Information
Hinds said tech companies in the Northern District of California receive and store a massive amount of user data. He said those companies should protect their data and alert customers and authorities after any hacking or data breach activities. The attorney said the authorities will not endure hiding sensitive information from the public from corporate executives.
The attorney said most corporate executives are interested in securing their employers and their company’s reputation. But they should consider the protection of sensitive information of their customers. So, this type of activity is considered a violation of US federal law, which needs prosecution. However, Uber didn’t publicly disclose the data breach or inform the FTC.
Sullivan Will Face 5 Years in Prison for Hiding Information
Meanwhile, a new chief executive, Dara Khosrow Shahi, joined the company in 2017 and discovered the data breach incident. 50 US states and the District of Columbia collected $148 million in a settlement with Uber. They filed a case against Uber for attempting to hide the data breach. The UK and Dutch data protection authorities imposed fines of around $1.2 million against the riding giant over the breach.
Keep in mind that the 2017 data breach affected 82 thousand UK-based drivers and 174 thousand of Dutch citizens. However, the court hasn’t yet set a sentencing date but Sullivan will face a maximum of 5 years in prison. The DOJ said Sullivan was involved in the obstruction of justice and around 3 years for not reporting the crime.