Former uber security chief Joseph Sullivan is accused of paying hackers $100,000 in BTC for concealing information about the theft of personal data of 57 million users.
According to the us Department of justice, in 2016, hackers broke into the database of the international company Uber, which provides taxi search services. Hackers gained access to the data of 57 million users, as well as to the driver’s license numbers of about 600,000 drivers.
Sullivan is accused of intentionally failing to contact law enforcement and paying hackers $100,000 in bitcoins for silence, thereby obstructing the course of justice. In December 2016, hackers received a ransom as part of a reward program for finding vulnerabilities.
Despite the anonymity of the hackers, Sullivan entered into a non-disclosure agreement with them, according to which the hackers were required to keep the hacking of the Uber database secret and not store the data obtained. It is assumed that even after Uber employees revealed the identity of the hackers, Sullivan demanded that the attackers re-sign this agreement, specifying their real names.
Law enforcement agencies became aware of the incident only in November 2017, when the leadership of Uber changed. The hackers have already been arrested. If found guilty, Sullivan faces up to five years in prison for obstructing the law and up to three years in prison for harboring a crime.
A representative for Sullivan said that these charges are not substantiated. As a cybersecurity expert, Sullivan and a team of international experts conducted their own investigation. Therefore, without their joint efforts, “it would be unlikely to find hackers” involved in this hack. Sullivan interacted with Uber’s legal and communications Department on this matter, acting within the company’s internal policies. The representative stressed that decisions about disclosure or non-disclosure, as well as who can share such information, are made by Uber’s legal Department, not by Sullivan himself.
“Concealing information about a violation of the law is also considered a crime. This case should be a good example for companies of how not to act. We urge you not to facilitate hackers and not to give in to the desire to hide information about gaining access to user data. By doing so, firms further exacerbate the risks to their clients, ” the us Department of justice explained.
Last month, hackers broke into the Argentine telecommunications company Telecom, demanding $7.5 million in XMR and threatening to double the amount if it was not paid within 48 hours.