Introduction
Recently, Joseph Sullivan of Palo Alto, California, former Uber chief security officer, was charged with additional charges for allegedly participating in a hacking attack on the ride-hailing app in 2016. The attack exposed 57 million users and 600,000 driver records, and wire fraud has been added to the pending list of allegations.
Detailed content
The latest allegations, filed in a replacement indictment returned by a federal grand jury, add previous charges of obstruction of justice and "miscarriage of felony."
Uber breach
In October 2016, unauthorized attackers gained access to the personal information of 57 million Uber users and the driver's licenses of about 600,000 drivers.
Sensitive data is downloaded from a third-party cloud provider's bucket and accessed by abusing credentials inadvertently posted by Uber engineers on codeshare websites.
According to prosecutors, Sullivan struck a deal with the criminal hackers to remain silent about the breach and delete the stolen data they held in exchange for paying $100,000 in bitcoin to individuals who refused to provide their real names.
Subsequently, the two people involved were identified, arrested, charged and convicted for the LinkedIn and Uber attacks.
Retroactive bug bounties
Sullivan allegedly complied with extortion demands for payments while masquerading it as a bounty payment for a bug and allowing hackers to make false statements as part of a fraudulent confidentiality agreement.
As the U.S. Department of Justice points out, vulnerability bounties exist to spur legitimate discovery and reporting of security issues, not to cover the exchange of compromised data.
The latest news
California law requires businesses operating in the state to notify residents of the data breach. The wire fraud allegation stems from Sullivan's alleged attempt to deceive Uber drivers by failing to disclose a 2016 breach.
According to prosecutors, the nondisclosure agreement misrepresented that the hackers neither obtained nor stored Uber's data. In addition, Sullivan sent an email to Uber's then-recently appointed CEO, calling the incident a routine "security incident" rather than a (more serious) data breach.
"When such a hack occurs, state law requires notification to the victim," U.S. attorney Stephanie Heinz said in a statement from the U.S. Department of Justice on the latest developments in the high-profile case. Federal law also requires truthful answers to the government's official investigations. The indictment alleges that Sullivan did not do either.
"We accuse Sullivan of forging documents to avoid an obligation to notify victims and of concealing the seriousness of a serious data breach from the FTC, all in an effort to flesh out his company," Hinds added.
Sullivan was charged with three counts of wire fraud, obstruction of justice and misjudgment of felonies. Charges of wire transfer fraud have a higher maximum term of imprisonment than other offences.
As a result, Uber was already investigating the breach earlier in 2014 at the time of the second similar data breach. The 2016 violations were not disclosed to consumers or U.S. Federal Trade Commission regulators until November 2017, culminating in a condemnation and a $148 million data breach settlement with the FTC.
Violations earlier in 2014 led to the exposure of names and license plate data for about 100,000 drivers.
Note: This article is reported by E Security Compilation.
![New Fraud! Concealed data breaches were sealed with money, and former Uber security officers may be sentenced to 20 years[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)