After the Federal Trade Commission began investigating a massive Uber data breach in 2016, the tech company was hit with another breach that was seemingly just as concerning. Rather than report the second data breach to the FTC and risk further public embarrassment, then-Uber security chief Joe Sullivan consulted with lawyers and then negotiated with the hackers. He allegedly set up a deal under which Uber paid the hackers a $100,000 “bug bounty” to delete the data, then pretended the data breach was part of a planned test of Uber’s security and had the hackers sign a nondisclosure agreement.
Now, Sullivan faces criminal obstruction charges, and The Wall Street Journal reports that his case has raised alarms for tech company security chiefs everywhere, who think Sullivan shouldn’t be taking the fall for Uber. One former security chief from AT&T, Edward Amoroso, told the Journal that “many top security officers believe” that Sullivan “did nothing wrong.”
Amoroso argued that by criminalizing reporting decisions of security chiefs like Sullivan, the US Department of Justice risks setting back the entire security profession. He said the debate was best left up to security communities, not a court, to decide who is responsible. Ars couldn’t immediately reach Amoroso for additional comment.