In conjunction with the attempt to hide the breach Uber experienced in 2016, Joe Sullivan, the former Chief Security Officer (CSO) of Uber, was found guilty of hindrance of the Federal Trade Commission’s investigation and misprision of crime. People in the cybersecurity world, notably those holding the CSO and CISO (Chief Information Security Officer) positions, have been keenly following the trial.
In April 2015, Sullivan was appointed as Uber’s Chief Security Officer. In 2014 Uber had only just informed the FTC that it had had a data breach. Following that disclosure, Uber’s data security procedures and practices were subject to an inquiry by the FTC’s Division of Privacy and Identity Protection. May 2015, one month following Sullivan’s hiring. In his sworn testimony before the FTC on November 4, 2016, Sullivan outlined the actions Uber had taken to protect data.
Ten days after Sullivan’s FTC testimony, he discovered that Uber had been compromised once more. On November 14, 2016, Sullivan received an email from the cybercriminals. Informing Sullivan and other Uber employees that they had acquired a sizable amount of customer data, the cybercriminals sought a sizable ransom from Uber in order to have the data deleted.
The proof showed that soon after becoming aware of the scope of the 2016 breach, Sullivan implemented a plan to keep the FTC from knowing about it, instead of informing the FTC, other law enforcement agencies, or Uber’s users.
Sullivan then made arrangements to pay the hackers in return for their signing non-disclosure agreements, which featured the false assurance that the hackers did not extract or save any data in their hack and contained the hackers’ vow not to disclose the intrusion to anybody.
The two hackers, Brandon Charles Glover and Vasile Mereacrein, were charged in 2019 and entered guilty pleas; however, sentences have not yet been handed out. In Sullivan’s trial, the latter recently provided testimony.
A federal jury convicted Sullivan guilty, and he now faces up to eight years in imprisonment for the two offenses. Sullivan claimed throughout the trial that he forgot to notify the breach to the FTC because the decision on when the breach should be revealed was made by Uber’s legal department. However, only Sullivan has been charged thus far in relation to this event and the subsequent cover-up.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.