Former Uber Executive Charged With Paying 'Hush Money' To Conceal Massive Breach
Author: Shannon Bond - NPR
… Prosecutors are charging Joe Sullivan with obstructing justice and concealing a felony for the alleged cover-up. Sullivan "engaged in a scheme to withhold and conceal" the breach from regulators and failed to report it to law enforcement or the public…
… The spokesperson said Uber's legal team, rather than Sullivan, was responsible for deciding whether and to whom the matter should be disclosed…
… Sullivan quickly notified Kalanick that he had "something sensitive" to update him about, according to the complaint. A text message from Kalanick cited in the complaint discussed paying the hackers through the bug bounty program…
… Uber settled with the FTC and agreed to audits of its privacy and security systems every two years for 20 years. The company also paid a record $148 million penalty to settle lawsuits…
Whether Sullivan or the legal department made the decision to conceal the hacker payoff is pretty much irrelevant to me. A felony crime was committed against Uber, it’s employees, it’s customers and shareholders. Your incident response workflow should include an assessment of reporting obligations. Even the most sensitive investigations need a formal workflow that documents the response decision process. Knowing that your actions and decisions are being documented discourages bad behavior. The bad old day of CEO’s running secret projects should be long behind us.