Decrypted: Uber’s former security chief charged, FBI’s ‘vishing’ warning
A lot happened in cybersecurity over the past week.
The University of Utah paid almost half a million dollars to stop hackers from leaking sensitive student data after a ransomware attack. Two major ATM makers patched flaws that could’ve allowed for fraudulent cash withdrawals from vulnerable ATMs. Grant Schneider, the U.S. federal chief information security officer, is leaving his post after more than three decades in government. And, a new peer-to-peer botnet is spreading like wildfire and infecting millions of machines around the world.
In this week’s column, we look at how Uber’s handling of its 2016 data breach put the company’s former chief security officer in hot water with federal prosecutors. And, what is “vishing” and why should companies take note?
THE BIG PICTURE
Uber’s former security chief charged with data breach cover-up
Joe Sullivan, Uber’s former security chief, was indicted this week by federal prosecutors for allegedly trying to cover up a data breach in 2016 that saw 57 million rider and driver records stolen.
Sullivan paid $100,000 in a “bug bounty” payment to the two hackers, who were also charged with the breach, in exchange for signing a nondisclosure agreement. It wasn’t until a year after the breach that former Uber chief executive Travis Kalanick was forced out and replaced with Dara Khosrowshahi, who fired Sullivan after learning of the cyberattack. Sullivan now serves as Cloudflare’s chief security officer.
The payout itself isn’t the issue, as some had claimed. Prosecutors in San Francisco took issue with how Sullivan allegedly tried to bury the breach, which later resulted in a massive $148 million settlement with the Federal Trade Commission.