According to The Register, Joe Sullivan, Uber’s former chief security officer, has been found guilty of illegally covering up the theft of Uber drivers and customers’ personal information.
Sullivan, who had previously worked as a cybercrime prosecutor for the US Department of Justice, was accused of obstructing justice and misprision, which is the concealment of a felony from law enforcement, two years ago. On both charges, he was found guilty today.
On November 21, 2017, Uber CEO Dara Khosrowshahi released a statement admitting that adversaries had entered into the infrastructure of the app behemoth in late 2016 and stolen 57 million user and driver details. As a result, Sullivan and Craig Clark, the legal director of security and law enforcement, were sacked.
Court records state that Sullivan discovered the theft in November 2016, just ten days after testifying before the US Federal Trade Commission regarding a 2014 cyberattack against Uber. Sullivan attempted to cover up that 2016 heist by attempting to pass off a ransom payment made to the criminals to recover the data as a bug bounty award out of fear that the company would suffer from another data security breach.
In years gone by companies would attempt to cover up their data breaches in the thought that this would impact the business less. However, with data thefts growing in huge swathes across all industries along with the introduction of GDPR, it is now far more noble to own up to a breach and offer support and help to those affected in a timely manner. Time is of the essence in a data breach where private information has been stolen so it is vital that customers are alerted immediately. It is now even mildly expected that a company will be attacked and potentially have a data leak, therefore it is more interesting to monitor how a company owns up to a breach and handles the aftermath of the breach.