In 2018, the company settled for $148 million an investigation led by states attorneys general into the data breach. The agreement states that Sullivan took steps to keep knowledge of the data breach tightly controlled and that Uber attorneys communicating with the FTC weren't told of the breach, even as they represented the company's security practices as being much improved since 2014. Attorney Ben Kingsley told the jury in closing arguments, Courthouse News Service reported.Įarlier this year, Uber admitted guilt as part of a non-prosecution agreement (see: Uber Admits Covering Up 2016 Data Breach, Avoids Prosecution). "You can see him realizing, 'Oh, no, this is exactly the sort of thing we told the FTC wouldn't happen anymore,'" Assistant U.S. At the time, the repository was open to the public. The 2016 breach occurred just days after Sullivan testified to the FTC that Uber under his watch fixed problems revealed by the 2014 breach, which also involved an AWS access key posted to the company GitHub repository. They accessed Uber data by using stolen GitHub credentials to access a private Uber code repository containing an access key to the company's Amazon Web Services account. The hackers, two men in their 20s, pleaded guilty in 2019 to making extortion demands to companies including Uber and LinkedIn. Clark testified against Sullivan under an agreement of immunity. Khosrowshahi fired Sullivan in November 2017, along with in-house attorney Craig Clark, who oversaw a $100,000 bitcoin payment made to two hackers who stole Uber account data. Shortly before the trial began, prosecutors agreed to dismiss the wire fraud charges, which carried the prospect of decades in prison in the event of a guilty verdict. A superseding indictment added three counts of wire fraud related to the hacker payoff, made under the guise of a bug bounty reward. Sullivan's crime wasn't that a breach happened on his watch but that he obstructed an ongoing federal investigation by the Federal Trade Commission into Uber's data security practices in the wake of an earlier data breach in 2014. Dara Khosrowshahi, who'd taken over as chief executive from co-founder Travis Kalanick, ordered that all affected users and the Federal Trade Commission be notified. The 2016 security incident affecting 57 million account holders and the driver's license numbers of 600,000 drivers didn't come to light publicly until November 2017, after Uber's new management team learned about the particulars and its board of directors probed the response. "I don't think there's any rush for picking a sentencing date," said Judge William Orrick shortly before adjourning court. The jury found him guilty of obstruction and misprision of a felony, which refers to knowing something is a felony and covering it up. Sullivan faces up to eight years in prison and $500,000 in fines, a stark reversal of fortune for a man who held senior cybersecurity positions at Facebook and Cloudflare and earlier in his career was a pioneering cybercrime prosecutor with the Department of Justice. attorney in the Northern District of California, told the court in his opening argument, The Wall Street Journal reported. "This is a case about cover-up, about payoff and about lies," Andrew Dawson, an assistant U.S. The trial was a landmark, likely marking the first time a chief security officer has faced criminal charges over an incident response. prosecutors who charged Sullivan, 53, in a criminal complaint with "a scheme to withhold and conceal" a 2016 data breach affecting tens of millions of Uber account holders. See Also: Building a Secure IoT Deployment Using 5G Wireless WAN Former Uber Chief Security Officer Joe Sullivan in happier times (Photo: National Institute of Standards and Technology website)Ī federal jury found former Uber security chief Joe Sullivan guilty of two felonies after a four-week trial in San Francisco.
0 Comments
Leave a Reply. |