Tag: Regulators | SpinSafe

US regulators sue SolarWinds and its security chief for alleged cyber neglect ahead of Russian hack

November 7, 2023/in Internet Security

U.S. regulators on Monday sued SolarWinds, a Texas-based technology company whose software was breached in a massive 2020 Russian cyberespionage campaign, for fraud for failing to disclose security deficiencies ahead of the stunning hack.

The company’s top security executive was also named in the complaint filed by the Securities and Exchange Commission seeking unspecified civil penalties, reimbursement of “ill-gotten gains” and the executive’s removal.

Detected in December 2020, the SolarWinds hack penetrated U.S. government agencies including the Justice and Homeland Security departments, and more than 100 private companies and think tanks. It was a rude wake-up call that raised awareness in Washington about the urgency of stepping up efforts to better guard against intrusions.

In the 68-page complaint filed in New York federal court, the SEC says SolarWinds and its then vice president of security, Tim Brown, defrauded investors and customers “through misstatements, omissions and schemes” that concealed both the company’s “poor cybersecurity practices and its heightened — and increasing — cybersecurity risks.”

In a statement, SolarWinds called the SEC charges unfounded and said it is “deeply concerned this action will put our national security at risk.”

Brown performed his responsibilities “with diligence, integrity, and distinction,” his lawyer, Alec Koch, said in a statement. Koch added that “we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint.” Brown’s current title at SolarWinds is chief information security officer.

The SEC’s enforcement division director, Gurbir S. Grewal, said in a statement that SolarWinds and Brown ignored “repeated red flags” for years, painting “a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

The very month that SolarWinds registered for an initial public offering, October 2018, Brown wrote in an internal presentation that the company’s “current state of security leaves us in a very vulnerable state,” the complaint says.

Among the SEC’s damning allegations: An internal SolarWinds…

Source…

Hackers, abusers and regulators may vex Musk at Twitter

October 29, 2022/in Computer Security

Elon Musk’s talk of slimming Twitter’s staff and letting people post anything allowed by law is expected to clash with the reality of fending off hackers, trolls, police and regulators, experts say.

Source…

Former Uber security officer found guilty of hiding major hack from regulators

October 25, 2022/in Computer Security

An Uber executive was found guilty of paying off hackers to hide a major data breach from the Federal Trade Commission.

A federal jury found Joseph Sullivan, the former chief security officer at Uber, guilty of obstructing the FTC from investigating a 2016 hack of the ride-sharing platform.

“Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” said U.S. Attorney Stephanie Hinds in a press release. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”

GOOGLE ANNOUNCES PIXEL 7 AND FIRST-EVER SMARTWATCH

“The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” said FBI special agent Robert Tripp. “The FBI and our government partners will not allow rogue technology company executives to put American consumers’ personal information at risk for their own gain.”

Sullivan’s lawyers pushed back on the verdict. “Mr Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” said David Angeli, who represented Sullivan in court, according to Computing.

Sullivan was prosecuted over his role in a 2016 breach in which the data of 50 million users and seven million drivers was exposed, including names, email addresses, and phone numbers. Sullivan had only been on the job for a few months and assisted with an FTC investigation into a 2014 hack. However, the CSO attempted to hide the existence of the 2016 hack, telling employees that the information around it had to be “tightly controlled,” and paid the hackers $100,000 in bitcoin in exchange for them to sign non-disclosure agreements to not publicly speak about the security breach.

Uber fired Sullivan…

Source…

Ex-Uber security chief convicted of hiding hack from federal regulators

October 6, 2022/in Internet Security

On Wednesday, a jury found former Uber security chief Joe Sullivan guilty of hiding a massive data breach from federal regulators who were already investigating the ride-share company for a different breach. With that verdict, Sullivan has likely become the first executive to be criminally prosecuted over a hack, The New York Times reported.

A jury of six men and six women started deliberating last Friday. After 19 hours, they decided that Sullivan was guilty on one count of obstructing the Federal Trade Commission’s investigation and “one count of misprision, or acting to conceal a felony from authorities,” according to the Times.

Sullivan’s legal team did not immediately provide comment for Ars, but one of his lawyers, David Angeli, told NYT how Sullivan received the verdict. “While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case,” Angeli told the paper. “Mr. Sullivan’s sole focus—in this incident and throughout his distinguished career—has been ensuring the safety of people’s personal data on the Internet.”

When Sullivan first learned of the second data breach, he disguised the illegal activity by paying the hackers through Uber’s bug bounty program. Uber had just announced the program in March 2016 in coordination with HackerOne, a widely used security firm whose company values urge executives like Sullivan to “default to disclosure” and ask “why keep this private?” instead of “why make this public?” It took less than a year for Sullivan to use HackerOne’s bug bounty program as a way to avoid disclosing a hack.

HackerOne did not immediately respond to Ars’ request for comment. [Update: A HackerOne spokesperson told Ars, “HackerOne has made the executive decision not to comment.”]

The Times report suggested that Sullivan’s conviction could change how all companies manage data breaches in the future.

Uber did not provide comment to NYT or Ars. Previously, an Uber spokesperson directed Ars to a blog post in which Uber CEO Dara Khosrowshahi discussed how the…

Source…

Tag Archive for: Regulators