Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond. This week: Former Uber CSO is convicted for his attempted cover-up of a 2016 hack of the company. Also: A software supply chain attack has pushed out malware to at least 250 media sites.
This week’s top story
Former Uber CSO convicted on federal charges of covering up data breach of millions of user records
Yesterday, the U.S. Attorney's Office in the Northern District of California shared a press release that details the conviction of Uber’s former Chief Security Officer (CSO), Joseph Sullivan, guilty of obstruction of the Federal Trade Commission (FTC) and misprision of a felony. The conviction is related to Sullivan’s attempted cover-up of a 2016 hack of Uber, at which point he had been the CSO of the company for more than a year.
The 2016 hack had been made known to Sullivan in an email sent to him directly from the hackers, in which they shared that they had stolen a “significant amount of Uber user data,” and demanded a large ransom payment from the company in exchange for the data being deleted. The data stolen included the records of approximately 57 million Uber users, plus 600,000 driver’s license numbers.
It was proven that rather than reporting the data breach directly to the FTC, Sullivan had executed a scheme to prevent any knowledge of the incident from being shared with the federal government. Sullivan told subordinates of his that the breach could not “get out” and that the information needed to be “tightly controlled,” according to the press release. Also, Sullivan made an arrangement with the hackers in which he had them sign non-disclosure agreements, promising them not to reveal the hack to anyone. Uber then paid the hackers $100,000 in Bitcoin in December of 2016, and it was not until November of 2017 that Uber’s new management discovered the breach and properly disclosed it.
Before the 2016 hack of Uber, Sullivan led the response to the FTC’s Civil Investigative Demand on the company after it had been hacked initially in 2014. Sullivan presented to the FTC in March of 2016, and testified under oath in November of 2016, and claimed that Uber had taken several steps to keep customer data secure. It was just 10 days after his testimony that the 2016 hack of Uber occurred. Even after the start of Sullivan’s scheme to cover up the 2016 hack, he continued to make claims that the work he and his team were doing was ensuring that the company’s data was secure.
This conviction sets a new precedent for how CSOs, CISOs, and other security executives should be handling major breaches. FBI Special Agent In Charge Tripp summed it up: “The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur.”
Here are the stories we’re paying attention to this week…
Stolen health records for millions of Australians have been publicly released on the dark web following a threat by hackers 24 hours earlier to do precisely that. Last month, the unknown hackers demanded a ransom from Medibank, a private insurance provider in Australia, which the company refused to pay.
Install latest Windows update ASAP - patches issued for 6 actively exploited 0-days (The Hacker News)
Microsoft's latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days.
Former CISA Director Chris Krebs said the paid subscription plan for a verification mark on Twitter will “create a very chaotic environment” because it would open the information space to foreign actors, election deniers and other potentially malign influencers.
What do the US's software security rules mean for UK organizations? (ComputerWeekly.com)
The White House announced recently that all software supplied to the US government and its agencies needs to be secure, so what does this mean for the UK and EU security sectors?
Image source: Adam Fagen/Flickr
Get up to speed on key trends and understand the landscape with The State of Software Supply Chain Security 2024. Plus: Learn about ReversingLabs Spectra Assure for software supply chain security.
- Update your understanding: Buyer's Guide for Software Supply Chain Security
- Join the Webinar: Why you need to upgrade your AppSec for the new era
- Get the report and take action: The State of Supply Chain Security 2024
- See the Webinar: State of Software Supply Chain Security 2024
- See Gartner's guidance on managing software supply chain risk