Former Uber security chief Joe Sullivan has been found guilty by a jury over his role in covering up a massive data breach suffered by the ride sharing giant in 2016.

Sullivan was found guilty of obstructing an FTC investigation of a 2014 data breach at Uber, and deliberately hiding a felony from authorities, charges for which he faces up to eight years in prison. Sentencing will be set at a later date.

Sullivan served as Uber’s CSO between April 2015 and November 2017. In 2016, the company suffered a breach, with hackers stealing the information of over 50 million users and drivers. The attackers extorted Uber and were paid $100,000 through the company’s bug bounty program. They were allegedly instructed by Sullivan to sign non-disclosure agreements falsely claiming that no data had been stolen.

The full impact of the incident came to light one year later, after Uber appointed a new CEO. Sullivan was fired after it was revealed that he had hidden the full extent of the breach from Uber’s new management.

The attackers, later identified as two individuals from Florida and Canada, pleaded guilty in 2019, and they appear to have been instrumental in the case against Sullivan.

Industry professionals have commented on the outcome of the case and its implications for CISOs. Some of them have shared thoughts on whether mandatory breach notification requirements, such as the ones proposed by the SEC, would make a difference in situations like this.

And the feedback begins…

Avishai Avivi, CISO, SafeBreach:

Sounil Yu, CISO, JupiterOne:

Neil Thacker, CISO, EMEA, Netskope:

Christopher Hallenbeck, CISO, Americas, Tanium:

Rick Holland, CISO, Vice President Strategy, Digital Shadows:

Amitai Ratzon, CEO, Pentera:

Ilia Kolochenko, Founder, ImmuniWeb:

David Lindner, CISO, Contrast Security:

By Eduard Kovacs on Fri, 07 Oct 2022 11:16:52 +0000
Original link