Joe Sullivan, who was Chief Safety Officer at Uber from 2015 to 2017, has been convicted in a US federal courtroom of overlaying up an information breach on the firm in 2016.
Sullivan was charged with obstructing proceedings performed by the FTC (the Federal Commerce Fee, the US shopper rights physique), and concealing against the law, an offence identified in authorized terminology by the peculiar identify of misprision.
The jury discovered him responsible of each these offences.
We first wrote concerning the breach behind this widely-watched courtroom case again in November 2017, when information about it orignally emerged.
Apparently, the breach adopted a disappointingly acquainted “assault chain”:
- Somebody at Uber uploaded a bunch of supply code to GitHub, however by chance included a listing that contained entry credentials.
- Hackers stumbled upon the leaked credentials, and used them to entry and poke round in Uber information hosted in Amazon’s cloud.
- The Amazon servers thus breached revealed private data on greater than 50,000,000 Uber riders and seven,000,000 drivers, together with driving licence numbers for about 600,000 drivers and social safety numbers (SSNs) for 60,000.
Paradoxically, this breach occurred whereas Uber was within the throes of an FTC investigation right into a breach it had suffered in 2014.
As you possibly can think about, having to report an enormous information breach while you’re in the midst of answering to the regulator about an earlier breach, and when you’re making an attempt to reassure the authorities that it received’t occur once more…
…has acquired to be laborious tablet to swallow.
Certainly, the 2016 breach was saved quiet till 2017, when new administration at Uber uncovered the story and admitted to the incident.
That’s when it emerged that the hackers who exfiltrated all these buyer information and driver information the yr earlier than have been paid $100,000 to delete the info and hold quiet about it:
From a regulatory standpoint, after all, Uber should have reported this breach instantly in lots of jurisdictions world wide, moderately than hushing it up for greater than a yr.
Within the UK, for instance, the Info Commissioner’s Workplace variously commented on the time:
Uber’s announcement a few hid information breach final October raises large considerations round its information safety insurance policies and ethics. [2017-11-22T10:00Z]
It’s all the time the corporate’s duty to establish when UK residents have been affected as a part of an information breach and take steps to scale back any hurt to customers. Intentionally concealing breaches from regulators and residents might appeal to larger fines for corporations. [2017-11-22T17:35Z]
Uber has confirmed its information breach in October 2016 affected roughly 2.7 million consumer accounts within the UK. Uber has stated the breach concerned names, cell phone numbers and e-mail addresses. [2017-11-29]
Bare Safety readers questioned how that $100,000 hacker cost might have been made with out making issues look even worse, and we speculated:
It’ll be attention-grabbing to see how the story unfolds – if the present Uber management can unfold it at this stage, that’s. I suppose you might wrap the $100,000 up as a “bug bounty payout”, however that also leaves the problem of very conveniently deciding for your self that it wasn’t essential to report it.
Evidently’s precisely what did occur: the breach-that-came-at-exactly-the-wrong-time-in-the-middle-of-a-breach-investigation was written up as a “bug bounty”, one thing that often relies on the preliminary disclosure being made responsibly, and never within the type of a blackmail demand.
Sometimes, an moral bug bounty hunter wouldn’t steal the info first and demand hush cash to not publish it, as ransomware crooks usually do today. As an alternative, an moral bounty hunter would doc the trail that led them to the info and the safety weaknesses that allowed them entry it, and maybe obtain a really small however consultant pattern to fulfill themselves that it was certainly remotely retrievable. Thus they might not purchase the info within the first place to make use of as an extortion device, and any potential public disclosure agreed as a part of the bug bounty course of would reveal the character of the safety gap, not the precise information that had been in danger. (Pre-arranged “disclose by” dates exist to present corporations sufficient time to repair the issues of their very own accord, whereas setting a deadline to make sure that they don’t attempt to sweep the problem beneath the carpet as a substitute.)
Proper or fallacious?
The fuss over Uber’s breach-and-cover-up finally led to accusations towards the CSO himself, and he was charged with the abovementioned crimes.
Sullivan’s trial, which lasted slightly below a month, concluded on the finish of final week.
The case attracted loads of curiosity within the cybersecurity neighborhood, not least as a result of quite a few cryptocurrency corporations, confronted with conditions the place hackers have made off with tens of millions or lots of of tens of millions of {dollars}, appear more and more (and publicly) prepared to observe a really related form of “let’s rewrite breach historical past” path.
“Give the cash again that you simply stole,” they beg, usually in an change of feedback through the blockchain of the plundered cryptocurrency, “and we’ll allow you to hold a sizeable amount of the cash as a bug bounty cost, and we’ll do our greatest to maintain regulation enforcement off your again.”
If the ultimate final result of rewriting breach historical past on this vogue is that stolen information will get deleted, thus sidestepping any fast hurt to the victims, or that stolen cryptocoins that may in any other case be misplaced ceaselessly get returned, does the tip justify the means?
In Sullivan’s case, the jury apparently determined, after 4 days of deliberation, that the reply was “No”, and located him responsible.
No date has but been set for sentencing, and we’re guessing that Sullivan, who himself was a federal prosecutor, will attraction.
Watch this house, as a result of this saga appears positive to get but extra attention-grabbing…
-xl-(1)-xl.jpg "AirPods Pro 2 and AirPods 4 receive new beta firmware")
