Former Uber Security Chief Convicted

With organised ransomware gangs, government-backed hacking teams and anarchist kids targeting companies, being a chief information security officer is already a daunting job.

The verdict ended a dramatic case that pitted Joe Sullivan, a prominent security expert who was an early prosecutor of cyber crimes for the San Francisco US attorney’s office, against his former government office.

In between prosecuting hackers and being prosecuted, Sullivan served as the top security executive at Facebook, Uber and Cloudflare.

Now, a jury in San Francisco found Joe Sullivan, who was fired from Uber in 2017, guilty of obstruction of justice and concealing a felony.

At the time, prosecutors alleged he arranged to pay the hackers $100,000 (£87,964) in bitcoin and had them sign nondisclosure agreements that falsely stated they had not stolen data. Increasingly, companies negotiate with ransomware hackers. But investigators said they must "do the right thing" when their systems are breached.

The conviction is a dramatic reversal for Sullivan, who had at one point in his career prosecuted cyber-related crime for the San Francisco US attorney's office.

After Sullivan's conviction his lawyer, David Angeli, said "Mr Sullivan's sole focus, in this incident and throughout his distinguished career, has been ensuring the safety of people's personal data on the internet," said The Washington Post.

But prosecutors said the case was a warning to companies. “Technology companies in the Northern District of California collect and store vast amounts of data from users... We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers," the US attorney Stephanie  Hinds said. 

Ms. Hinds accused Sullivan of working to hide the data breach from US regulator the Federal Trade Commission (FTC), adding he "took steps to prevent the hackers from being caught".

At the time, the FTC was already investigating Uber following a 2014 hack. When it was hacked again, the attackers emailed Sullivan and told him they had stolen a large amount of data, which they would delete in return for a ransom, according to the US Department of Justice (DOJ) .

Staff working for Sullivan confirmed that data, including about 57 million Uber users' records and 600,000 driving-licence numbers, had been stolen.

According to the US Dept of Justive (DOJ) Sullivan arranged for the hackers to be paid in bitcoin in exchange for them signing non-disclosure agreements to not reveal the hack to anyone. The hackers were paid in December 2016, even though they had refused to provide their true names. The payment was disguised as a "bug bounty", a reward used to pay cyber-security researchers who disclose vulnerabilities so they can be fixed.

The Washington Post reported that the process enabled Uber to gather clues about the two hackers. The firm eventually identified the pair - both of whom have since been convicted of criminal offences - in January 2017 and required them to sign new agreements in their own names. The two cyber criminals were Brandon Charles Glover and Vasile Mereacre who pleaded guilty in 2019.

Sullivan, who now serves as Cloudflare’s CSO, told a subordinate that information about the breach needed to be “tightly controlled” and that the story outside of the security group was to be that “this investigation does not exist.”

BBC:     Washington Post:     DOJ:     Computing:     Guardian:     Register:    Techcrunch:

You Might Also Read: 

The CISO's Job Is Getting More Complex:

 

« British Spy Chief Warns Of The Threat From China
Russian Hackers Shut Down US State Government Websites »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

Cyber Security Associates (CSA)

Cyber Security Associates (CSA)

Cyber Security Associates provides cyber consultancy and cyber managed services which help to detect, protect and educate against the ever-changing cyber threat.

Rackspace Technology

Rackspace Technology

Rackspace Technology is a leading provider of managed services across all major public and private cloud technologies. Secure your IT environments with powerful cloud security solutions and support.

Information Security Group (ISG) - Royal Holloway

Information Security Group (ISG) - Royal Holloway

The Information Security Group, Royal Holloway, University of London, is an Academic Centres of Excellence in Cyber Security Research.

Clifford Chance

Clifford Chance

Clifford Chance are one of the world's pre-eminent law firms with resources across five continents. Practice areas include Cyber Security & Information Protection

CIRT.ME

CIRT.ME

National Computer Incident Response Team of Montenegro.

Japan Network Security Association (JNSA)

Japan Network Security Association (JNSA)

JNSA's goal is to promote standardization related to network security and to contribute to greater technological standards in the field.

National Institute of Information and Communications Technology (NICT)

National Institute of Information and Communications Technology (NICT)

NICT is Japan’s sole National Research and Development Agency specializing in the field of information and communications technology.

Total Defense

Total Defense

Total Defense solutions include anti-malware, anti-virus, intrusion prevention & mobile security.

GuardSquare

GuardSquare

GuardSquare is the global reference in mobile application protection. We develop premium software for the protection of mobile applications against reverse engineering and hacking.

Serverless Computing

Serverless Computing

Serverless Computing London will help architects, developers and CIOs decide on the best path to a more efficient, scalable and secure computing future.

iONLINE

iONLINE

iONLINE delivers high quality IT services and solutions to businesses in Azerbaijan.

Beazley

Beazley

Beazley are a specialist insurer with three decades of experience in providing clients with the highest standards of underwriting and claims service worldwide.

eMazzanti Technologies

eMazzanti Technologies

eMazzanti Technologies provides IT consulting services for businesses ranging from home offices to multinational corporations throughout the USA and internationally.

Guernsey

Guernsey

Guernsey provides a wide range of engineering, architecture and consulting services to multiple markets, including cybersecurity consulting and CMMC certification.

Plante Moran

Plante Moran

Plante Moran is a leading audit, tax, consulting, and wealth management firm. Areas of consulting expertise include cybersecurity.

Celebrus

Celebrus

Celebrus Fraud Data Platform, by D4t4 Solutions, works with existing fraud structures to augment functionality and turn fraud management into true fraud prevention.