Former Uber Chief Security Officer, Joe Sullivan, has been found guilty and sentenced by a US federal judge for covering up a data breach that impacted the personal records of 57 million Uber passengers and drivers. Sullivan, a former security chief at Facebook, was the CSO at Uber in October 2016 when hackers stole the names, email addresses, and phone numbers of customers and drivers. He chose not to warn affected individuals, regulators, or authorities about the data breach and instead made arrangements to secretly visit the hackers, paying them $100,000 to sign a confidentiality agreement that news of the breach would never become public. The payment to the hackers was disguised as a payment from Uber’s bug bounty program.
Prosecutors alleged that Sullivan’s ego caused him to cover up the security failure in an attempt to protect his own ego and prevent drivers from defecting to Uber’s rivals. They claimed that Uber drivers were “defrauded” as they continued to share a proportion of their fares with the company. Sullivan, who is himself a former federal prosecutor and after leaving Uber was appointed Cloudflare’s CISO, was warned that he could face years in prison if convicted. However, last week he was told he was receiving a three-year probation sentence, avoiding prison time.
Federal judge for the Northern District of California William Orrick warned Sullivan that he got a break not because of what he did or even because of who he is, but because this was just such an unusual one-off. The case highlights the importance of transparency and accountability when dealing with data breaches. It also demonstrates that covering up a data breach can have severe consequences, not only for the individuals affected but also for the company and its reputation. Companies must take proactive steps to prevent data breaches and have a clear plan in place to respond to them if they occur.
The case also raises concerns about the use of bug bounty programs. Bug bounty programs are used by companies to incentivize security researchers to report vulnerabilities in their systems. However, in this case, the payment to the hackers was disguised as a payment from the bug bounty program, which could undermine the legitimacy of such programs. Companies must ensure that their bug bounty programs are transparent and legitimate to avoid misuse and abuse.
In conclusion, the case highlights the need for transparency and accountability when dealing with data breaches. Companies must take proactive steps to prevent data breaches and have a clear plan in place to respond to them if they occur. The case also raises concerns about the use of bug bounty programs and the need for transparency and legitimacy in such programs. Companies must ensure that they are transparent and legitimate to avoid misuse and abuse. The consequences of covering up a data breach can be severe, not only for the individuals affected but also for the company and its reputation.