LOL. Imagine being such a corporatist that you end up going to jail to protect your employer.Reply
I thought it was really interesting that Mr Sullivan is a former US Attorney. Surely he would have known he was putting himself in significant legal jeopardy, no?Reply
this happened at Sinclair Broadcast Group as well, someone should investigateReply
The one thing I haven't understood is just what the value was of the non-disclosure agreement he asked the hackers to sign? Even if you abstract away that they are hackers who illegally accessed your data, apparently they were first signed... before??... Uber knew their real identities? So, what on Earth would a signature on a piece of paper from random internet aliases possibly accomplish?Reply
"Uber’s new management ultimately discovered the truth about the breach and disclosed the breach publicly, and to the FTC, in November 2017."
This is so weird. Did the "old management" aka TK and Thuan Pham know about this and instruct that guy to pay $$$ and keep quiet? Sounds like it? Or did he pay the ransom secretly out of his own pocket?
So maybe it's someone else that should be held accountable and the "new management" is just throwing the CSO under the bus?Reply
I have a feeling companies in the US will have difficulty filling CISO roles without offering golden parachutes (which kick in if the CISO is let go after disclosing a breach) in future.
In cases of breaches there will often be commercial pressure in a company not to disclose (to avoid financial impact)
With personal criminal liability being a possibility for the CISO they are then placed in the position of disclose regardless of internal pressure (risking their job) or don't disclose (and risk criminal prosecution)Reply
> “If Mr. Sullivan had immediately reported the breach—instead of misleading the government by withholding information—the FBI could have been better able to assist Uber; also, the data breach of at least one additional large tech company may have been prevented,” said FBI Special Agent in Charge Fair.
Are there any hints about the other “large tech company” hit by the same hackers? To be transparent to the authorities is not always easy, but in this case, it could have prevented another attack :/Reply
Is he still the CSO for cloudlare?Reply
What was the upside of lying here? Seems like getting hacked is pretty common these days and I'm not surprised at all if some product I'm using tells me that they leaked my PII.
Why not just reveal the breach? Why risk going to jail just to avoid looking bad in your job? I don't think they would have even let him go because of this.Reply
To be honest most of the C-Level of Uber seem super shady so I'm not surprised that he "allegedly" done this.Reply
Some "Reply All" podcast episodes that suspect, then later confirm the breach and Uber straight up lying about it when asked.Reply
"If Mr. Sullivan had immediately reported the breach—instead of misleading the government by withholding information—the FBI could have been better able to assist Uber; also, the data breach of at least one additional large tech company may have been prevented,” said FBI Special Agent in Charge Fair. "
NOTE: So, if you are black-mailed by hackers and pay you now go to federal prison. The only way to play with the hackers is not work with the FBI (obviously). I understand the 'anti-uber hn hate' here, but wow, being attacked by hackers, then getting scared, playing along, paying out blackmailers, then going to federal prison? Wirefraud could be 20 years in federal prison. This guy is worse than a rapist? Not following.
Also. If the FBI wants to talk to you - get a lawyer, they have no interest in "assisting" you. They do enjoy posting your name on "www.justice.gov" to permanently destroy your career though. Never, ever, ever talk to the FBIReply
So, even in the US wiping your breaches under the carpet is no longer an option. The GDPR explicitly deals with this, unfortunately it still leaves some room for lawyering by not making explicit what a reportable breach is. Any breach should be a reportable breach, that would get rid of the gray area. But great to see the the justice department deal with this in a way that is responsible towards the victims of the breach, accountability of management is a good first step in the right direction.Reply
Does anyone else find it odd that often press releases are highly upvoted on HN (as opposed to a news article on the subject)? I understand it's source material, but the objectivity you will find in a press release is almost certainly less than you will find in a good news article.Reply