CYFOR Blog

The latest industry news and insights

Former Uber CSO charged with data breach cover-up

data breach cover-up

The Department of Justice say former Uber CSO Joe Sullivan lied to management about the data breach cover-up and paid hush money to the hackers.

The U.S. Department of Justice has charged the 52-year-old with obstruction of justice after a data breach cover-up in 2016 that exposed the details of 57 million Uber drivers and passengers.

The hackers demanded a six-figure payment in an attempt to extort Uber. To cover up the breach, Uber eventually paid the cybercriminals $100,000 (£75,000) in Bitcoin and instructed them to delete the data. This payment was disguised as a “bug bounty” reward through its HackerOne program, which is used to pay cyber-security researchers who disclose vulnerabilities so they can be fixed.

The charges against him allege that he asked the hackers to sign non-disclosure agreements, falsely stating they had not stolen any Uber data. Uber chief executive Dara Khosrowshahi disclosed the data breach in 2017 and Sullivan was fired over his role in the handling of the incident.

The charges filed by the US Department of Justice said Mr Sullivan had taken “deliberate steps” to stop the Federal Trade Commission (FTC) from finding out about the hack. He deceived Uber’s management team about the data breach and failed to provide critical details. Sullivan asked his team to prepare a summary of the incident, but after he received their draft summary, he edited it. His edits removed details about the data that the hackers had taken and falsely stated that payment had been made only after the hackers had been identified.

Further investigation revealed that the hackers were two individuals living in Canada and Florida. They pleaded guilty in October 2019, admitting that they stole information from unprotected AWS servers and then demanded payment to destroy the data.

U.S. officials expressed discontent over how the incident was addressed, particularly since the information was withheld from the FTC, which at the time was investigating a smaller cybersecurity incident suffered by the ride-sharing firm in 2014. The company eventually paid $148m to settle legal claims by all 50 US states and Washington DC.

Back to all Posts

Call us today and speak with a Forensic Specialist

Send an enquiry to our experts

After submitting an enquiry, a member of our team will be in touch with you as soon as possible

Your information will only be used to contact you, and is lawfully in accordance with the General Data Protection Regulation (GDPR) act, 2018.