John Leyden January 05, 2022 at 17:10 UTC
Updated: January 06, 2022 at 09:04 UTC
Alleged abuse of bug bounty and failure to disclose violation leads to criminal charges
Additional charges have been added to the indictment against a former Uber security official for his alleged involvement in covering up a hack against the rideshare app in 2016.
The wire fraud has joined the list of charges against Joseph Sullivan, 52, of Palo Alto, Calif., For his alleged cover-up of a 2016 attack that revealed 57 million users and 600,000 driver records.
The latest charges – delivered in a replacement indictment by a federal grand jury – add to previous charges of obstructing justice and “hijacking a crime.”
Uber violation
Unauthorized attackers gained access to the personal data of 57 million Uber users and the driver’s license information of around 600,000 drivers in October 2016.
CONTEXT Uber security official charged with ‘covering up’ 2016 data breach
The sensitive data was downloaded from the storage compartment of a third-party cloud provider and accessed by misusing credentials that an Uber engineer inadvertently posted to a codeshare website.
Prosecutors say Sullivan made a deal with hackers to keep quiet about the breach and remove stolen data they held in exchange for a $ 100,000 bitcoin payment to people who refused to offer their real. name.
The two individuals involved were subsequently identified, arrested, indicted and convicted of attacks on LinkedIn and Uber.
Retrospective bug bounty
Sullivan allegedly complied with an exorbitant demand for payment while disguising it as paying a bug bounty and forcing hackers to make false statements under fraudulent nondisclosure agreements.
As the US Department of Justice points out, bug bounties exist to stimulate legitimate discovery and reporting of security issues rather than to cover the exchange of compromised data.
Learn about the latest information security news in the United States
California law requires companies operating in the state to notify residents of data breaches. The wire fraud allegations stem from Sullivan’s alleged attempt to defraud Uber drivers by failing to disclose the 2016 violation.
According to prosecutors, the nondisclosure agreements incorrectly stated that the hackers had neither taken nor stored Uber’s data. Additionally, Sullivan emailed Uber’s then newly appointed chief executive, describing the case as a routine “security incident” rather than a (more serious) data breach.
“When hacks like this occur, state law requires notification of victims,” ​​Acting US lawyer Stephanie Hinds said in a statement. US Department of Justice Statement on the latest development of the closely watched case. “Federal law also requires truthful responses to official government investigations. The indictment alleges that Sullivan did not either.
“We allege that Sullivan forged documents to avoid having to notify victims and hid the seriousness of a serious data breach from the FTC, all to enrich his business,” added Hinds.
Sullivan is charged with three counts of wire fraud, obstruction of justice and prison abuse. Charges of wire fraud carry a longer maximum jail term than other offenses.
Sullivan’s arraignment on the new charges has yet to be set and no plea has been entered.
So Uber – which was already under investigation for an earlier 2014 breach at the time of the second similar data breach – did not disclose the 2016 breach to consumers or Federal Trade Commission regulators. United States until November 2017, circumstances which ultimately led to censorship and $ 148 million resolving data breaches with the FTC.
The earlier violation of 2014 led to the exposure of the names and license plate data of around 100,000 drivers.
YOU MAY ALSO LIKE Safety well done: Celebrating infosec’s victories in 2021
