Former Uber security chief charged for allegedly covering up hack

Uber’s former chief securty officer paid two hackers $100,000 in Bitcoin as a bug bounty reward after they breached the corporate’s databases.

Angela Lang/CNET

The Division of Justice has indicted Uber’s former head of safety for allegedly masking up an information breach that affected greater than 50 million individuals. Whereas Uber and its then-chief safety officer realized concerning the hack in 2016, the corporate didn’t publicly disclose it till a 12 months later, prosecutors stated. 

Officers stated the alleged cover-up got here immediately from Joe Sullivan, who served as Uber’s safety chief from April 2015 to November 2017. In October 2016, Uber suffered an information breach from two hackers who have been convicted final October, and have been additionally behind cyberattacks against the online learning website Lynda

The hackers stole knowledge on 57 million drivers and riders, together with names, electronic mail addresses and driver’s license numbers, and agreed to delete it for a worth.    

Reasonably than publicly disclosing the hack — which firms are required to inside a specific amount of days in states like California — Uber paid the hackers $100,000 and had them signal a non-disclosure settlement. 

Sullivan described the cost as a bug bounty reward, which firms usually pay out to safety researchers who level out and uncover safety flaws. Prosecutors stated the cost was extra of a cover-up than a bounty reward. 

“Whereas this case is an excessive instance of a chronic try and subvert regulation enforcement, we hope firms rise up and take discover,” FBI deputy particular agent in cost Craig Honest stated in an announcement. ” Don’t assist prison hackers cowl their tracks. Don’t make the issue worse on your prospects, and don’t cowl up prison makes an attempt to steal individuals’s private knowledge.”   

The hack solely turned public data after a full 12 months, when former Uber CEO Travis Kalanick was compelled out and replaced by Dara Khosrowshahi. Sullivan had briefed the brand new CEO concerning the cyberattack, however edited out particulars about what knowledge the hackers obtained and when the corporate paid the hackers. 

The corporate fired Sullivan after the general public disclosure, and paid $148 million in a settlement over the information breach. 

Sullivan has been charged with obstruction of justice, and faces a most of 5 years in jail.  

“We proceed to cooperate totally with the Division of Justice’s investigation. Our choice in 2017 to reveal the incident was not solely the suitable factor to do, it embodies the ideas by which we’re working our enterprise as we speak: transparency, integrity, and accountability.” Uber stated in an announcement. 

In personal conversations, Sullivan informed Uber’s safety group it wanted to “be sure phrase of the breach didn’t get out,” in response to courtroom paperwork. The information breach additionally remained hidden from the Federal Commerce Fee, which was already investigating Uber for an additional safety concern from a data breach the company suffered in 2014

The bug bounty cost to Uber’s hackers stood out from how the corporate normally rewarded safety researchers. For starters, Uber’s bug bounty program had a cap of $10,000, and by no means paid something near $100,000, in response to courtroom paperwork. 

Additionally, no bug bounty rewards with Uber ever got here with a non-disclosure settlement like those created for the 2 hackers. Uber’s personal bug bounty coverage additionally specified that the corporate wouldn’t pay out for knowledge dumps from its servers. 

“Silicon Valley is just not the Wild West,” stated U.S. Legal professional David Anderson. “We anticipate good company citizenship. We anticipate immediate reporting of prison conduct. We anticipate cooperation with our investigations. We won’t tolerate company cover-ups.”

#Uber #safety #chief #charged #allegedly #masking #hack


Alfred Ng