security

Former Uber executive sentenced for covering up data breach – Palo Alto Online


A federal judge in San Francisco on Thursday, May 4, imposed a sentence of three years’ probation on the former head of security at Uber for his role in covering up a data breach that allegedly exposed the personal information of more than 50 million riders and drivers.

Prosecutors from the U.S. Attorney’s Office in San Francisco had asked U.S. District Judge William Orrick to impose 15 months imprisonment for Joseph Sullivan, 54, arguing that “probationary or token prison sentences for corporate executives in general undermine respect for the law … and disregard the core principle that all defendants are equal before the law regardless of their position and power.”

The sentencing comes after a four-week jury trial in 2022 in which Sullivan was found guilty on one count of obstruction and one count of “misprision,” or actively concealing a felony.

Sullivan lives in Palo Alto and has deep connections in the Silicon Valley tech universe.

He was trained as a lawyer at the University of Miami and came to the Bay Area in 1997 to work in the U.S. Attorney’s Office in San Francisco, the same office that 25 years later would lead his prosecution.

In 2002, he was hired away from the U.S. Attorney’s Office, where he was prosecuting high tech crimes, to join eBay Inc. as senior director of trust and safety, a position that involved combatting cyber-crime, often in close cooperation with law enforcement.

Four years later, he moved from eBay to PayPal Holdings Inc. to lead the company’s North American legal team. According to his court filing, “During this time, Mr. Sullivan also emerged as a public face for the cybersecurity industry, championing safety measures that thwarted phishing attempts.”

Readers Also Like:  Breaking Barriers: How Out-of-Band Authentication Enhances Security - Security Boulevard

In 2008 he jumped to Facebook Inc., where served as chief security officer overseeing the company’s security team, a group that grew from 10 people to 130 during his tenure. While he was at Facebook, the company’s platform had explosive growth and Sullivan dealt with new and cutting-edge cyber-security issues.

Uber Technologies Inc. hired Sullivan as Uber’s chief security officer in April 2015.

When he arrived, the Federal Trade Commission was investigating Uber for a 2014 data breach that compromised about 50,000 consumers’ personal information.

In supervising the company’s responses to FTC investigators, Sullivan gave testimony to the FTC on Nov. 4, 2016 about the company’s data security practices, including the steps Uber had taken to keep customer data secure.

Ten days after that testimony, Sullivan learned that Uber had been breached again, this time by hackers who demanded a ransom in exchange for deleting the data, which included records on approximately 57 million Uber users and 600,000 driver’s license numbers.

According to the prosecutors, Sullivan “almost immediately recognized that this second breach revealed that Uber’s prior representations to the FTC about encryption practices and the scope of Uber employees’ access to such data — including those (Sullivan) had made under oath — had been false.”

Sullivan then allegedly worked to cover up the breach, arranging to pay off the hackers in exchange for non-disclosure agreements and allegedly blending the transaction into the company’s so-called “bug bounty program” in which the company compensated outside people for finding problems with the company’s code.

Uber paid the hackers $100,000 in bitcoin in December 2016.

In the fall of 2017, Uber’s new management began investigating the 2016 data breach and it was eventually disclosed publicly and to the FTC. According to prosecutors, the FTC’s lead investigator said that when Uber’s counsel finally informed him of the breach in November 2017, it was “probably the single most frustrating experience that I had at my time at the Federal Trade Commission.”

Readers Also Like:  Google Chrome will get weekly security updates - Ghacks

After Sullivan was convicted, his lawyers, as is customary in these cases, prepared a “sentencing memorandum” to point out to the judge the reasons why leniency — in this case a sentence of probation — was appropriate.

The memorandum argued that Sullivan had been a hard-working, unassuming professional throughout his career, always working to protect customers and the public against harm. He was a family man and a mentor to young people. He worked to aid disadvantaged youth and support freedom fighters in the Ukraine.

He had also engaged in public service and was a leader in the cybersecurity area. The memorandum noted that in 2016, President Barack Obama appointed Sullivan to the President’s Commission on Enhancing National Cybersecurity.

Sullivan’s filing included a vast number of letters of support — 185 according to his lawyers — from family, friends, colleagues and others who know him and wanted the judge to extend him leniency. They included a letter signed by 60 cybersecurity professionals and another from more than 40 chief security officers.

The letters were intended to support the argument that “Joe Sullivan has lived an exemplary life marked by hard work, integrity, and a commitment to doing the right thing.”

The government’s sentencing memorandum turned many of Sullivan’s arguments back against him.

The prosecutors said that they did not “dispute any of Defendant’s good deeds or general moral qualities as reflected in the many letters submitted on his behalf.”

But then they said “those same moral qualities only underscore that Defendant knew how wrong his conduct was.”

And as for the volume of letters provided to the court, prosecutors said, “white-collar defendants in general, and successful corporate executives in particular, will almost always have deep networks of supporters to call upon in difficult times. One does not become an executive at a company like Uber without having such a network.”

Readers Also Like:  Assam: G20 meet goes high-tech with RFID security measures for ... - EastMojo

The letters, prosecutors argued, “only underscore Defendant’s extraordinarily privileged position among the many individuals the Department of Justice prosecutes … They mainly demonstrate that Defendant is a wealthy, powerful man, with a strong network of family and friends that has benefited him throughout his life.”

The government then employed its harshest rhetoric, noting that an undocumented drug dealer sentenced in federal court “is unlikely to have had the opportunity to whitewash his criminal record by volunteering to help war-torn Ukrainians, nor the network or resources to make an extensive showing of other good deeds in his life.”

Sullivan wrote his own five-page letter to the court in which he said he accepted responsibility for his actions and recognized that he had hurt many people. He apologized.

He closed the letter saying, “I won’t let the mistakes I made happen again on my watch. Ever. And I want to dedicate my life to making up for it.”

Judge Orrick came down on the side of probation, adding a $50,000 fine and 200 hours of community service to the sentence.





READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.