AGL 38.02 Increased By ▲ 0.08 (0.21%)
AIRLINK 197.36 Increased By ▲ 3.45 (1.78%)
BOP 9.54 Increased By ▲ 0.22 (2.36%)
CNERGY 5.91 Increased By ▲ 0.07 (1.2%)
DCL 8.82 Increased By ▲ 0.14 (1.61%)
DFML 35.74 Decreased By ▼ -0.72 (-1.97%)
DGKC 96.86 Increased By ▲ 4.32 (4.67%)
FCCL 35.25 Increased By ▲ 1.28 (3.77%)
FFBL 88.94 Increased By ▲ 6.64 (8.07%)
FFL 13.17 Increased By ▲ 0.42 (3.29%)
HUBC 127.55 Increased By ▲ 6.94 (5.75%)
HUMNL 13.50 Decreased By ▼ -0.10 (-0.74%)
KEL 5.32 Increased By ▲ 0.10 (1.92%)
KOSM 7.00 Increased By ▲ 0.48 (7.36%)
MLCF 44.70 Increased By ▲ 2.59 (6.15%)
NBP 61.42 Increased By ▲ 1.61 (2.69%)
OGDC 214.67 Increased By ▲ 3.50 (1.66%)
PAEL 38.79 Increased By ▲ 1.21 (3.22%)
PIBTL 8.25 Increased By ▲ 0.18 (2.23%)
PPL 193.08 Increased By ▲ 2.76 (1.45%)
PRL 38.66 Increased By ▲ 0.49 (1.28%)
PTC 25.80 Increased By ▲ 2.35 (10.02%)
SEARL 103.60 Increased By ▲ 5.66 (5.78%)
TELE 8.30 Increased By ▲ 0.08 (0.97%)
TOMCL 35.00 Decreased By ▼ -0.03 (-0.09%)
TPLP 13.30 Decreased By ▼ -0.25 (-1.85%)
TREET 22.16 Decreased By ▼ -0.57 (-2.51%)
TRG 55.59 Increased By ▲ 2.72 (5.14%)
UNITY 32.97 Increased By ▲ 0.01 (0.03%)
WTL 1.60 Increased By ▲ 0.08 (5.26%)
BR100 11,727 Increased By 342.7 (3.01%)
BR30 36,377 Increased By 1165.1 (3.31%)
KSE100 109,513 Increased By 3238.2 (3.05%)
KSE30 34,513 Increased By 1160.1 (3.48%)
Technology

U.S. charges former Uber security chief with covering up massive 2016 hacking

  • The case was believed to be first time a corporate information security officer has been charged with concealing a hack.
Published August 21, 2020

WASHINGTON: In an unprecedented case, a former chief security officer for Uber Technologies was criminally charged on Thursday with trying to cover up a 2016 hacking that exposed personal information of about 57 million of the ride-hailing company’s customers and drivers.

The U.S. Department of Justice charged Joseph Sullivan, 52, with felony obstruction of justice, saying he took “deliberate steps” to keep the Federal Trade Commission from learning about the hack while the agency was monitoring Uber security in the wake of an earlier breach.

The case was believed to be first time a corporate information security officer has been charged with concealing a hack.

Sullivan, himself a former federal prosecutor, arranged to pay the hackers $100,000 under Uber’s program for rewarding security researchers who report flaws. That amount was by far the most Uber had paid through the bounty program, which was not meant to cover theft of sensitive data.

A former chief of security at Facebook, Sullivan now works as chief information security officer at Cloudflare.

In past interviews, security staff said the Uber payout was intended to force the hackers into the open to accept the money and to ensure that the data, especially driver’s license information on Uber contractors, was destroyed.

The complaint says Sullivan had the hackers sign non-disclosure agreements that falsely stated they had not stolen data. It alleges that then-CEO Travis Kalanick was aware of Sullivan’s actions.

A spokeswoman for Kalanick declined to comment. A spokesman for Sullivan said that the charges had no merit, that Sullivan had worked with his colleagues on the case and that disclosure matters were decided by the legal department.

“If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all,” said spokesman Brad Williams.

Kalanick’s successor as CEO — current Uber chief Dara Khosrowshahi — disclosed the payoff, then fired Sullivan and a deputy after learning the extent of the breach. Uber then paid $148 million to settle claims by all 50 U.S. states and Washington, D.C. that it had been to slow to reveal the hack.

The Uber case will resonate for the increasing number of companies that deal directly with hackers.

Many have bounty programs like Uber’s, which are generally seen as a tool to improve security and provide an incentive for hackers to stay within the law. But some participants do not play by the rules.

In the Uber case, the FBI noted, the two main hackers went on to attack other companies, which the agency said could have been averted if Sullivan had gone first to law enforcement. Both have pleaded guilty and are awaiting sentencing.

The case also suggests that companies that pay hackers to get rid of ransomware, malicious programs that encrypt their files, are not exempt from requirements to report losses of personally sensitive information.

Comments

Comments are closed.