The Week in Security: Former Uber CSO convicted over hack cover-up, supply chain attack targets media

This week: Former Uber CSO is convicted for his attempted cover-up of a 2016 hack of the company. Also: A software supply chain attack has pushed out malware to at least 250 media sites.

This week’s top story

Former Uber CSO convicted on federal charges of covering up data breach of millions of user records

Yesterday, the U.S. Attorney's Office in the Northern District of California shared a press release that details the conviction of Uber’s former Chief Security Officer (CSO), Joseph Sullivan, guilty of obstruction of the Federal Trade Commission (FTC) and misprision of a felony. The conviction is related to Sullivan’s attempted cover-up of a 2016 hack of Uber, at which point he had been the CSO of the company for more than a year.

The 2016 hack had been made known to Sullivan in an email sent to him directly from the hackers, in which they shared that they had stolen a “significant amount of Uber user data,” and demanded a large ransom payment from the company in exchange for the data being deleted. The data stolen included the records of approximately 57 million Uber users, plus 600,000 driver’s license numbers.

It was proven that rather than reporting the data breach directly to the FTC, Sullivan had executed a scheme to prevent any knowledge of the incident from being shared with the federal government. Sullivan told subordinates of his that the breach could not “get out” and that the information needed to be “tightly controlled,” according to the press release. Also, Sullivan made an arrangement with the hackers in which he had them sign non-disclosure agreements, promising them not to reveal the hack to anyone. Uber then paid the hackers $100,000 in Bitcoin in December of 2016, and it was not until November of 2017 that Uber’s new management discovered the breach and properly disclosed it.

Before the 2016 hack of Uber, Sullivan led the response to the FTC’s Civil Investigative Demand on the company after it had been hacked initially in 2014. Sullivan presented to the FTC in March of 2016, and testified under oath in November of 2016, and claimed that Uber had taken several steps to keep customer data secure. It was just 10 days after his testimony that the 2016 hack of Uber occurred. Even after the start of Sullivan’s scheme to cover up the 2016 hack, he continued to make claims that the work he and his team were doing was ensuring that the company’s data was secure.

This conviction sets a new precedent for how CSOs, CISOs, and other security executives should be handling major breaches. FBI Special Agent In Charge Tripp summed it up: “The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur.”

News roundup

Here are the stories we’re paying attention to this week…

Supply chain attack pushes out malware to more than 250 media websites (Dark Reading)

The cyber-threat actor known as TA569, or SocGholish, has compromised JavaScript code used by a media content provider in order to spread the FakeUpdates malware to major media outlets across the US.

Hackers dump Australian health records online after insurer refuses to pay ransom (Gizmodo)

Stolen health records for millions of Australians have been publicly released on the dark web following a threat by hackers 24 hours earlier to do precisely that. Last month, the unknown hackers demanded a ransom from Medibank, a private insurance provider in Australia, which the company refused to pay.

Install latest Windows update ASAP - patches issued for 6 actively exploited 0-days (The Hacker News)

Microsoft's latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days.

Chris Krebs: paid Twitter verification 'going to create a very chaotic environment' (The Hill)

Former CISA Director Chris Krebs said the paid subscription plan for a verification mark on Twitter will “create a very chaotic environment” because it would open the information space to foreign actors, election deniers and other potentially malign influencers.

What do the US's software security rules mean for UK organizations? (ComputerWeekly.com)

The White House announced recently that all software supplied to the US government and its agencies needs to be secure, so what does this mean for the UK and EU security sectors?

Image source: Adam Fagen/Flickr