In mid-2016, Uber suffered one of the biggest attacks in the company's history, but it took a long time to reveal the same after becoming aware that this happened.
Now, Joseph Sullivan, head of security at Uber, has been officially convicted of hiding the attack from authorities. According to the NYT, the San Francisco court convicted Sullivan of obstructing the FTC's investigation into another incident that allegedly happened in 2014. Sullivan was further convicted of actively concealing the attack from authorities.
At issue is how the head of security acted in the face of the attack, which affected one of the company's Amazon servers, and where the attackers would be asking the entity for US$100.000 to prevent data disclosure.
The hackers would have contacted Sullivan, informing that they would have discovered a security flaw in the company's systems, which allowed access to the personal information of 600.000 drivers, and more than 57 million passengers.
It was later known that the attackers had found an Uber digital key, used to access the system, and where the company's customer data was then found without any encryption.
Sullivan recommended the hackers to go through the company's bug bounty program, but it only has a maximum payout of $10.000, which is less than what the attackers intended. Faced with this, they threatened the company that they would reveal the failure and the data if the payment was not made.
The security chief used company funds to pay the $100.000 in Bitcoin, appearing as if he were part of the bounty bug program, and also forced the attackers to sign an agreement not to disclose the same.
The jury will have seen this agreement as a way to hide the activities, which will now be in front of the prosecution. In addition, it was also established that the payment should not have been made as a form of bug bounty, since these programs are aimed at security researchers who really intend to help companies – and that was not what happened in this case.
Furthermore, the authorities should also have been informed about the attack, something that did not happen at the time. Sullivan now faces up to five years in prison, plus three more for concealing the affair.
