How former Uber’s cyber security head could face 20 years in prison for scamming customers

U.S. authorities announced additional charges against former chief security officer at Uber, in connection with his involvement in covering up a cyberattack and subsequent data breach against the ride-hailing service’s systems. In addition to the first charges against him, which included obstruction of justice and another felony, Joseph Sullivan now faces wire fraud charges.

As some users may recall, in 2016 Uber concealed an attack that led to the leaking of more than 57 million user records and more than 500,000 drivers. This information was downloaded from a cloud storage bucket by stealing the access credentials associated with a software engineer working for Uber.

The U.S. Department of Justice (DOJ) argues that Sullivan always knew about the attack, so he made a deal with the hackers responsible not to disclose the incident in exchange for a $100,000 USD payment in cryptocurrency. Those responsible for this attack were eventually identified and arrested for an intrusion on LinkedIn.

Trying not to raise suspicions, Sullivan pretended that the payment to the hackers was actually a payment of rewards for vulnerabilities, allegedly received by legitimate researchers. The prosecutors in charge of the case point out that this was a clear attempt to hide malicious activity, using a program to stimulate the investigation and combat the malicious exploitation of vulnerabilities.

Sullivan’s actions violated a California law that states that any business operating in this territory must notify residents of any data security incidents. On the wire fraud charges, the DOJ filed these new allegations because of its attempt to pass off the payment to hackers as part of Uber’s rewards program, plus there is evidence that Sullivan tried to influence the decision-making of the person who replaced him in office.

In total, Sullivan is charged with three counts of wire fraud, obstruction of justice and felony commission; although their final sentence is not yet known, the wire fraud charges could be punishable by a higher incarceration period than the other crimes. Sullivan is still waiting for his first hearing for the new charges.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.