Recently, the U.S. federal grand jury issued an indictment against Joe Sullivan, former chief security officer of Uber, for allegedly concealing hacker attacks from federal law enforcement agencies and paying him a high "gag fee", adding a third charge of telecommunications fraud in addition to the two previous charges of obstruction of justice and intentional concealment of felonies. At present, the timing of Sullivan's arraignment of the new allegations has not yet been determined.
In October 2016, hackers successfully stole 57 million pieces of personal information from Uber drivers and passengers, including names, email addresses, phone numbers, and driver's license information for 600,000 drivers, Nandu reported. Sullivan, then Uber's chief security officer, chose to conceal the incident after learning about it, paying the hackers $100,000 worth of bitcoin and signing a confidentiality agreement in the name of a security bounty (a system that rewards individuals who discover and report software vulnerabilities) to the hackers, requiring them not to obtain and store Uber data and not to publicize the matter.
In addition, Sullivan lied to Uber's new management team about the scope and severity of the data breach. In 2017, when Sullivan was asked to report on the incident by Uber's new CEO, he revised the briefing to falsely claim that the hackers had only accessed folders that included Uber's data rather than obtaining and storing the data, while denying that the nature of the incident was a "data breach" and that it was just a very common security incident.
However, after the matter was revealed, Uber paid a high price for it. In 2018, Uber paid $148 million in settlements to 50 U.S. states and the District of Columbia, and paid a total of $1.2 million in fines to data protection agencies in the United Kingdom and the Netherlands. Subsequently, the two hackers who hacked into Uber's database also pleaded guilty in California federal court in 2019, but have not yet been sentenced.
While Uber paid the price for the data breach, there was progress in the separate allegations against Sullivan. Last August, the U.S. Department of Justice announced that Sullivan was indicted for obstruction of justice and intentional concealment of felonies, and that he would face up to eight years in prison and a $500,000 fine if convicted.
Recently, the US federal grand jury released an indictment against Sullivan, adding the charge of "telecommunications fraud" to the previous two charges. The indictment shows that Sullivan took various measures to conceal the matter from the driver whose personal information was leaked after learning of the data breach, ensuring that he could not learn the true nature and severity of the incident, which was accused of alleged telecommunications fraud.
According to California's Data Breach Notification Act, when an organization is attacked and a data breach occurs, local residents are required to notify local residents about the possible impact on the security of personal information. The indictment argues that Sullivan was informed of the obligation to disclose and commit to significant data breaches, and that this concealment and misleading practice was a serious fraud he committed to obtain investors' money and property.
"We have made allegations against Sullivan for forging documents, evading obligations to notify victims, and concealing the seriousness of a data breach from the FTC (U.S. Federal Trade Commission). Stephanie M. Hinds, the U.S. attorney for the Northern District of California, said, "Everything he did was to make the company profitable." ”
As of now, Sullivan has not responded to the new allegations. Last year, however, its spokesman, Brad Williams, sought to dismiss the case with a strong stance. In his view, the subject of the decision to disclose the data breach was Uber's legal department, not the Sullivan people or his team, who acted as a "scapegoat" in the incident.
This view is also echoed by Katie Moussouris, a vulnerability bounty expert at consultancy LutaSecurity. "I think it's ridiculous to single joe out." She told the media that no company would leave security and transparency decisions to a single executive, and not only would all executives involved in the decision be jointly responsible, but any vulnerability-bounty company involved in such situations should not ignore data breach laws.
According to public reports, Sullivan is currently serving as chief security officer for Cloudflare, an internet infrastructure services company. If convicted of telecommunications fraud, he faces up to 20 years in prison and a $250,000 fine.
Compilation/Synthesis: Nandu trainee reporter Fan Wenyang
![Uber opened up the reverse scoring data and finally got an idea of what drivers were saying about passengers[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)