April 13, 2024

After protecting up a knowledge breach that impacted the non-public data of 57 million Uber passengers and drivers, the corporate’s former Chief Safety Officer has been discovered responsible and sentenced by a US federal decide.

Joe Sullivan, a former safety chief at Fb, was the CSO at ride-sharing agency Uber in October 2016 when hackers stole the names, e-mail addresses, and cellphone numbers of shoppers and drivers.

It later transpired that careless builders on the agency had left their login credentials to an Amazon Internet Providers bucket utilized by Uber in a GitHub repository.

After hackers had stolen information from the AWS bucket they contacted Uber and requested for cash.

Sullivan then made a sequence of very uncommon selections for a CSO coping with a knowledge breach:

  • He selected to not warn affected harmless people that their information had been stolen
  • He selected to not inform regulators concerning the information breach, or inform the authorities

As an alternative, he selected to cowl up the hack and made preparations to secretly go to the hackers, paying them $100,000 to signal a confidentiality settlement that information of the breach would by no means grow to be public.

The fee to the hackers was disguised as a payment from the business’s bug bounty program, in trade for his or her silence.

As we’ve described beforehand on Scorching for Safety, prosecutors alleged that the ego of the CSO prompted him to cowl up the safety failure in an try and each shield his personal ego and stop drivers from defecting to Uber’s rivals.

Prosecutors claimed that Uber drivers had been “defrauded” as they continued to share a proportion of their fares with the corporate.

Sullivan, who’s himself a former federal prosecutor and after leaving Uber was appointed Cloudflare’s CISO, was warned that he may face years in jail if convicted.

Nevertheless, final week he was instructed he was receiving a three-year probation sentence, avoiding jail time.

“If I’ve an identical case tomorrow, even when the defendant had the character of Pope Francis, they might be going to jail,” Federal decide for the Northern District of California William Orrick instructed Sullivan. “While you exit and discuss to your pals, to your CISOs, you inform them that you just acquired a break not due to what you probably did, not even due to who you’re, however as a result of this was simply such an uncommon one-off.”