The filing of additional charges have been added over alleged misuse of bug bounty and failure to disclose breach by the former Chief Security Officer of Uber.
Recently, additional charges have been added to the indictment against the former Chief Security Officer (CSO) of Uber for his alleged role in the cover-up of a 2016 hack against the ride-hailing app.
Joseph Sullivan, 52, of Palo Alto, California, has been charged with wire fraud in connection with the alleged concealment of a 2016 cyberattack that exposed 57 million user and 600,000 driver records.
The new charges, which were announced by a federal grand jury in a superseding indictment, are in addition to prior charges of obstruction of justice and ‘misprision of a felony’.
Uber Data Breach in 2016
In October 2016, unauthorised attackers gained access to the personal information of 57 million users of Uber and the driving licence information of around 600,000 drivers.
The sensitive data was downloaded from a third-party cloud provider’s storage bucket and accessed by exploiting credentials that an Uber engineer had shared on a code-sharing website inadvertently.
Prosecutors said that Sullivan forged a deal with criminal hackers to remain quiet about the breach and delete the stolen data they held in exchange for $100,000 in bitcoin payments to people who refused to give their real names.
Following the attacks on LinkedIn and Uber, the two individuals were subsequently identified, arrested, charged, and convicted.
Controversial Bug Bounty
Sullivan allegedly agreed with an extortionate payment demand by passing it off as a bug bounty payment and convincing the hackers to make false declarations as part of bogus non-disclosure agreements.
Bug bounties exist to encourage the legitimate discovery and reporting of security flaws, not to cover the exchange of compromised data, as the US Department of Justice points out.
Businesses operating in California are required by law to notify residents of data breaches. Sullivan is accused of wire fraud for allegedly attempting to deceive Uber’s drivers by failing to report the 2016 data breach.
Acting US attorney Stephanie Hinds said in a US Department of Justice statement on the latest development of the closely-watched case that “When hacks like this occur, state law requires notice to victims,”
“Federal law also requires truthful answers to official government inquiries. The indictment alleges that Sullivan failed to do either.
Hinds added “We allege Sullivan falsified documents to avoid the obligation to notify victims and hid the severity of a serious data breach from the FTC, all to enrich his company,”
Three counts of wire fraud, obstruction of justice, and misprision of a felony are the charges filed against Sullivan. The charges of wire fraud have a longer maximum period of imprisonment than the other offences.
Sullivan has yet to be arraigned on the new charges, and no plea has been made.
So, Uber – which was already under investigation by the US Federal Trade Commission (FTC) for an earlier 2014 data breach at the time of the second, similar data leak – failed to disclose the 2016 breach to its consumers and regulators until November 2017, resulting in a censure and a $148 million data breach settlement with the FTC.
Earlier, the names and licence plate data of about 100,000 drivers were exposed in a data breach in 2014.