Joe Sullivan, who was Chief Safety Officer at Uber from 2015 to 2017, has been convicted in a US federal court docket of masking up a knowledge breach on the firm in 2016.
Sullivan was charged with obstructing proceedings performed by the FTC (the Federal Commerce Fee, the US shopper rights physique), and concealing a criminal offense, an offence recognized in authorized terminology by the peculiar identify of misprision.
The jury discovered him responsible of each these offences.
We first wrote about the breach behind this widely-watched court docket case again in November 2017, when information about it orignally emerged.
Apparently, the breach adopted a disappointingly acquainted “assault chain”:
- Somebody at Uber uploaded a bunch of supply code to GitHub, however by accident included a listing that contained entry credentials.
- Hackers stumbled upon the leaked credentials, and used them to entry and poke round in Uber knowledge hosted in Amazon’s cloud.
- The Amazon servers thus breached revealed private info on greater than 50,000,000 Uber riders and seven,000,000 drivers, together with driving licence numbers for about 600,000 drivers and social safety numbers (SSNs) for 60,000.
Satirically, this breach occurred whereas Uber was within the throes of an FTC investigation right into a breach it had suffered in 2014.
As you possibly can think about, having to report an enormous knowledge breach while you’re in the course of answering to the regulator about an earlier breach, and when you’re making an attempt to reassure the authorities that it gained’t occur once more…
…has bought to be laborious tablet to swallow.
Certainly, the 2016 breach was stored quiet till 2017, when new administration at Uber uncovered the story and admitted to the incident.
That’s when it emerged that the hackers who exfiltrated all these buyer data and driver knowledge the yr earlier than had been paid $100,000 to delete the info and maintain quiet about it:
From a regulatory standpoint, in fact, Uber must have reported this breach straight away in lots of jurisdictions around the globe, somewhat than hushing it up for greater than a yr.
Within the UK, for instance, the Data Commissioner’s Workplace variously commented on the time:
Uber’s announcement a couple of hid knowledge breach final October raises enormous considerations round its knowledge safety insurance policies and ethics. [2017-11-22T10:00Z]
It’s at all times the corporate’s duty to determine when UK residents have been affected as a part of a knowledge breach and take steps to cut back any hurt to shoppers. Intentionally concealing breaches from regulators and residents might appeal to increased fines for corporations. [2017-11-22T17:35Z]
Uber has confirmed its knowledge breach in October 2016 affected roughly 2.7 million consumer accounts within the UK. Uber has stated the breach concerned names, cell phone numbers and e mail addresses. [2017-11-29]
Bare Safety readers questioned how that $100,000 hacker fee might have been made with out making issues look even worse, and we speculated:
It’ll be fascinating to see how the story unfolds – if the present Uber management can unfold it at this stage, that’s. I suppose you could possibly wrap the $100,000 up as a “bug bounty payout”, however that also leaves the difficulty of very conveniently deciding for your self that it wasn’t essential to report it.
It appears that evidently’s precisely what did occur: the breach-that-came-at-exactly-the-wrong-time-in-the-middle-of-a-breach-investigation was written up as a “bug bounty”, one thing that normally will depend on the preliminary disclosure being made responsibly, and never within the type of a blackmail demand.
Usually, an moral bug bounty hunter wouldn’t steal the info first and demand hush cash to not publish it, as ransomware crooks typically do lately. As an alternative, an moral bounty hunter would doc the trail that led them to the info and the safety weaknesses that allowed them entry it, and maybe obtain a really small however consultant pattern to fulfill themselves that it was certainly remotely retrievable. Thus they’d not purchase the info within the first place to make use of as an extortion software, and any potential public disclosure agreed as a part of the bug bounty course of would reveal the character of the safety gap, not the precise knowledge that had been in danger. (Pre-arranged “disclose by” dates exist to offer corporations sufficient time to repair the issues of their very own accord, whereas setting a deadline to make sure that they don’t attempt to sweep the difficulty beneath the carpet as a substitute.)
Proper or incorrect?
The fuss over Uber’s breach-and-cover-up finally led to accusations towards the CSO himself, and he was charged with the abovementioned crimes.
Sullivan’s trial, which lasted slightly below a month, concluded on the finish of final week.
The case attracted loads of curiosity within the cybersecurity group, not least as a result of quite a few cryptocurrency corporations, confronted with conditions the place hackers have made off with hundreds of thousands or lots of of hundreds of thousands of {dollars}, appear more and more (and publicly) keen to observe a really comparable kind of “let’s rewrite breach historical past” path.
“Give the cash again that you just stole,” they beg, typically in an trade of feedback by way of the blockchain of the plundered cryptocurrency, “and we’ll allow you to maintain a sizeable amount of the cash as a bug bounty fee, and we’ll do our greatest to maintain legislation enforcement off your again.”
If the ultimate final result of rewriting breach historical past on this vogue is that stolen knowledge will get deleted, thus sidestepping any fast hurt to the victims, or that stolen cryptocoins that may in any other case be misplaced eternally get returned, does the top justify the means?
In Sullivan’s case, the jury apparently determined, after 4 days of deliberation, that the reply was “No”, and located him responsible.
No date has but been set for sentencing, and we’re guessing that Sullivan, who himself was a federal prosecutor, will attraction.
Watch this house, as a result of this saga appears certain to get but extra fascinating…