Posted on August 21, 2020 at 4:48 PM
A former chief security officer for Uber ride-hailing company, Joseph Sullivan, was charged for his role in the 2016 hacking which exposed the personal details of 57 million drivers and customers of the company. He was charged yesterday by the US Department of Justice, as the department accused him of trying desperately to conceal the criminal act and preventing the authorities from finding out.
Sullivan, 52, was said to have taken “deliberate steps” to prevent the Federal Trade Commission from knowing about the hacking incident when the commission was investigating an earlier breach.
Based on the information available, this was the first time a corporate information security officer has been indicted for covering up a hack.
As a former federal prosecutor, Sullivan planned to settle the hackers and offered them $100,000 via Uber’s initiated program for rewarding security researchers who notify them when there is a flaw.
That was the highest the ride-hailing company has paid anyone or hacker via the bounty program, which wasn’t intended to cover theft of sensitive data.
Sullivan has held several top security posts in major companies, including as a former chief of security at Facebook. Before his indictment, he worked for Cloudflare as a chief information security officer.
Sullivan says his colleagues were aware of the incident
In previous interviews, security officials said the Uber payout was meant to drag the hackers into the open to accept money and make sure the stolen information was destroyed. The program ensures that any stolen data will not be an issue as it will be destroyed by offering the hacker a bounty payment. However, this was meant for researchers and white hackers, not for cybercriminals.
In the complaint, it was revealed that Sullivan made sure the hackers sign non-disclosure agreements which stated they didn’t steal the data. The complaint also alleged that Travis Kalanick, Chief Executive Officer of Uber, was aware of the development.
But Kalanick’s spokeswoman declined to comment. Sullivan’s spokesman revealed that there is no limit to the charge, and Sullivan had worked with his colleagues on the case. He further stated that the legal department decided the disclosure matters and not Sullivan.
“If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all,” Sullivan’s spokesman defended.
Current Uber chief executive officer, who succeeded Kalanich, Dara Khosrowshahi revealed how much was paid to the hackers. After learning the extent of the cover-up, he fired Sullivan and his deputy who was also complacent. Afterward, the ride-hailing company paid out $148 million as claims settlement in Washington and all 50 US states. Claims were lodged against the company for being slow to disclose the hack.
Sullivan blamed for concealing the attack
The Uber case will stand as a warning to the increasing number of firms who are dealing with hackers directly. Many such companies have a similar bounty program like Uber. The program is seen as a means of keeping hackers within the confines of the law while offering more security to their servers. However, not all participants play by the rules.
Like the case of Uber, apart from attacking Uber, the two hackers responsible also attacked other firms. According to the agency, the subsequent attacks could have been stopped if Sullivan had reported the first incident to law enforcement. According to the complaint, Sullivan’s action to conceal the Uber attack resulted in the success of other attacks by the same hacking group.
The case also suggested that companies that meet the hackers’ ransomware demands are also required to report losses of personally sensitive data. That’s because even after the ransom has been paid for the hackers to destroy the stolen data, some of them still go-ahead to sell the same data to the darknet. In other words, there is no guarantee that the hackers will stick to their words to destroy the data after the ransom has been paid.
That is one of the reasons why law enforcement agencies require companies to disclose any breach that involves highly sensitive customer data. In this case, Sullivan failed to do so as he concealed the attack from authorities, which led to subsequent attacks by the same hackers.