The guilty verdict handed down to former Uber Chief Information Security Officer Joseph Sullivan has made waves in the cybersecurity industry. Sullivan was convicted of obstruction of the Federal Trade Commission and misprision of a felony. The charges were a result of Sullivan failing to report a 2016 cybersecurity incident where the personal information of 57 million Uber customers and drivers was stolen.
According to the initial complaint published by the U.S. Attorney’s Office, Northern District of California, in November of 2016, Sullivan received an email from a hacker informing him that Uber had been breached again. Sullivan’s team was able to confirm the breach within 24 hours of receiving the email. Rather than report the breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC and pay the hacker(s) through a corporate “bug bounty” program. Additionally, Sullivan asked the hackers to sign non-disclosure agreements. The agreements stated that the hackers did not take or store any data, which was not true. When another employee confronted Sullivan about false claims, he insisted they stay in the non-disclosure agreements. Moreover, after Uber personnel were able to identify two of the individuals responsible for the breach, Sullivan arranged for the hackers to sign fresh copies of the non-disclosure agreements in their true names. The new agreements retained the false condition that no data had been obtained.
The...
The lawsuit alleges the CCRB’s online database, 50-a.org, unfairly harms officers by listing serious accusations including sexual misconduct, racial profiling and making false official statements ...