Uber's former chief security officer, Joe Sullivan, has been found guilty of illegally trying to cover up a 2016 data breach in which threat actors accessed 57 million Uber drivers' and customers' sensitive credentials.
Sullivan is a former cybercrime prosecutor officer of the US Department of Justice. A federal jury in San Francisco convicted him of obstructing justice and misprision – concealing a felony from law enforcement.
On November 21, 2017, Uber CEO Dara Khosrowshahi released a statement in which he acknowledged that miscreants had broken into the app giant's infrastructure and made off with 57 million customer and driver records. As a result of it Sullivan, along with legal director of security and law enforcement Craig Clark was fired.
"Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber," the U.S. attorney's office said.
Sullivan’s trial began days before when the news broke that Uber had been hacked again. Uber said the group of hackers LAPSUS$ is running a campaign against Uber.
The group accessed and stole data of an employee’s login credential to gain wide-ranging access to Uber’s internal systems including the company’s Amazon Web Services console, Google Workspace admin dashboard for managing the Uber email accounts, VMware vSphere/ESXi virtual machines, Slack server, and bug bounty program portal. However, Uber confirmed that the hackers did not gain access to the sensitive data of customers.
In the case of the 2016 data breach, Uber had to make two $50,000 payments to the intruders in December 2016. A month later, after managing to identify one of the attackers from the group, an Uber representative met the man in Florida and had him sign a confidentiality agreement.
"Technology companies in the Northern District of California collect and store vast amounts of data from users. We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users,” U.S. Attorney Stephanie M. Hinds said in a statement.
