Joe Sullivan, the former head of security at Uber, was found guilty on Wednesday in a federal court of concealing a 2016 data breach for more than a year.
According to the Washington Post, Sullivan was found guilty of obstructing justice for actively covering a felony by allowing payments to the hacker who was responsible for the breach from the Federal Trade Commission.
According to Bloomberg, Sullivan claimed that other Uber executives knew about the data leak and were to blame for it not being made public for more than a year. The jury rejected this claim.
Approximately 57 million drivers and users of the ride-sharing service had their names, email addresses, and driver's license numbers exposed in the 2016 Uber hack.
The incident happened in October 2016, but it wasn't publicly disclosed until November 2017. Uber discovered the data breach in November 2016 and paid the cyber thief $100,000 to erase the information.
In September 2018, Uber agreed to pay $148 million to all 50 US states and the District of Columbia for failing to notify the breach.
Last month, Uber was breached again by a cyber attacker, who was blamed on the hacker group Lapsus$, who used similar tactics to infiltrate Microsoft, Cisco, Samsung, Nvidia, Okta, and other companies in 2022. Lapsus$ was recently accused of breaching Rockstar Games and sharing early gameplay video of Grand Theft Auto VI.
At the time, Uber stated that it acted swiftly to address the security incident in order to secure internal systems and user data. This included identifying employee accounts that were compromised and either preventing their access to Uber networks or mandating a password reset.
Several internal tools were disabled, access to many internal services was reset, the codebase was locked down, employees had to re-authenticate when access was granted, and internal environment monitoring was added "to keep an even closer eye on any further suspicious activity." according to the statement.
According to Uber, the hacker "reconfigured Uber's OpenDNS to display a graphic image to employees on some internal sites." and sent a message to a company-wide Slack channel.
Uber stated in its post that no personal data was accessed and that services such as Uber, Uber Eats, Uber Freight, and internal tools are back to normal and working well.
Uber claimed last month's hack was most likely caused by a contractor's personal device becoming infected with malware after accepting a verification notification, exposing their credentials. Credentials for the employee were most likely obtained via the dark web. According to Uber, no personal information was compromised.
