From Ars Technica:
After the Federal Trade Commission began investigating a massive Uber data breach in 2016, the tech company was hit with another breach that was seemingly just as concerning. Rather than report the second data breach to the FTC and risk further public embarrassment, then-Uber security chief Joe Sullivan consulted with lawyers and then negotiated with the hackers. He allegedly set up a deal under which Uber paid the hackers a $100,000 “bug bounty” to delete the data, then pretended the data breach was part of a planned test of Uber’s security and had the hackers sign a nondisclosure agreement.
Now, Sullivan faces criminal obstruction charges, and the Wall Street Journal reports that his case has raised alarms for tech company security chiefs everywhere, who think Sullivan shouldn’t be taking the fall for Uber. One former security chief from AT&T, Edward Amoroso, told the Journal that “many top security officers believe” that Sullivan “did nothing wrong.”
Amoroso argued that by criminalizing reporting decisions of security chiefs like Sullivan, the US Department of Justice risks setting back the entire security profession. He said the debate was best left up to security communities, not a court, to decide who is responsible. Ars couldn’t immediately reach Amoroso for additional comment.
The DOJ disagrees. Justice Department attorney Andrew Dawson echoed prosecutors in the case who say that their primary issue is with Sullivan failing to communicate the second breach during an active FTC investigation into security failures surrounding Uber’s first big data breach.
Continue reading Uber exec accused of disguising data-breach extortion as “bug bounty” on Ars Technica
Do you have a complaint about Uber or Uber Eats, such as overcharges or fraud? Take your claim to FairShake, the consumer advocacy service.