Uber exec covered-up ransom payment for millions of drivers
The U.S. Department of Justice issued a release disclosing the charges of Former Uber CISO Joseph Sullivan. The charges result from Sullivan’s attempt to cover up paying out a ransom in relation to a cyberattack.
by Tim SandleThe report indicates that the ransom was requested by malicious hackers after obtaining access to and downloading Uber’s database containing personally identifying information associated with approximately 57 million Uber users and drivers, in the form of a bug bounty program.
According to the BBC, Uber has previously admitted to paying a group of hackers a $100,000 (£75,000) ransom to delete the data they had stolen. Sullivan was later dismissed by Uber when the breach was revealed in 2017.
Now legal action is being taken by the U.S. courts because the decision to make a payment violated the data breach notification laws in every state requiring that companies disclose the theft of their customers’ personal information, according to The Slate.
According to Casey Ellis, the Founder of Bugcrowd, this failure with business ethics has altered how the general public will view the hacker community. Ellis says that it is important to differentiate bad actors from legitimate security researchers within the wider hacker cohort.
Ellis tells Digital Journal that "What took place was an act of extortion. This incident has also negatively influenced the public’s perception of the hacker community, and of bug bounties in general. Historically, hackers were seen as malevolent, but the industry's understanding of ethical hackers within the industry has progressed within the last few years to include the much larger community."
The analyst explores the ethical and legal issues further: "Although Uber’s original issue was clearly on the side of bad faith, it has highlighted how blurry the line is between hacking that crosses a legal line into dark territory, and the type of hacking which can be helpful."
Expanding on this, Ellis says: "We have a moral obligation to support the next generation of Internet defenders as they push the ethical hacker community forward. We must band together to fight bad actors by empowering the hackers that operate with integrity."
Further in relation to ethical hackers, a brief has been published describing how Voatz wrongly prosecuted an ethical hacker across the board on security research as a part of the Van Buren Amicus briefing.