Uber's Chief Security Officer Joe Sullivan and his top aide have both been forced out of the company in an act of penance for the revelation that the company suffered a breach in October 2016 in which hackers stole personal data from 50,000,000 riders and 7,000,000 drivers, including 600,000 drivers' US driving license numbers; Uber says the disgraced employees acted alone when they then paid the hackers who stole the data $100,000 to hush it up.
Joe Sullivan was a former US Federal Prosecutor.
The hackers gained access to an Uber AWS store by leveraging an insecure private Github repository, then stole the accounts and threatened Uber with public humiliation if they were not bribed into silence. Uber bribed them.
Uber says that it believes that the hackers then deleted its customers' and drivers' data and never used it to commit a fraud. It provides no evidence for this belief.
Uber has now hired an ex-NSA general counsel to advise the company on security. They do not state whether this lawyer is in any way qualified as a security practitioner. Ironically, the NSA is best known for illegally gathering, storing and sharing personal information and then lying about it.
Joe Sullivan, the outgoing security chief, spearheaded the response to the hack last year, a spokesman told Bloomberg. Sullivan, a onetime federal prosecutor who joined Uber in 2015 from Facebook Inc., has been at the center of much of the decision-making that has come back to bite Uber this year. Bloomberg reported last month that the board commissioned an investigation into the activities of Sullivan’s security team. This project, conducted by an outside law firm, discovered the hack and the failure to disclose, Uber said.
Uber Paid Hackers to Delete Stolen Data on 57 Million People [Eric Newcomer/Bloomberg]