Joseph Sullivan, who used to serve as Uber's security chief, was convicted of federal charges for hiding a 2016 data breach from authorities. According to The New York Times, a jury in a San Francisco federal court has found Sullivan guilty of obstructing the FTC's ongoing investigation into Uber at the time for another breach that occurred in 2014. He was also found guilty of actively hiding a felony from authorities. Sullivan's case, believed to be the first time an executive has faced criminal charges over a hack, revolves around how the former executive dealt with the bad actors who infiltrated Uber's Amazon server and demanded $100,000 from the company.

The hackers got in touch with Uber shortly after Sullivan sat for a deposition with the FTC for its investigation of the 2014 cybersecurity incident. They told him they found a security vulnerability that allowed them to download the personal data of 600,000 drivers and additional information linked to 57 million drivers and passengers. As The Washington Post reports, it was revealed later on that the hackers found a digital key that they used to get into Uber's Amazon account. There, they found an unencrypted backup collection of personal data on passengers and drivers.

Sullivan pointed them to the company's bug bounty program, which had a max payout of $10,000. The hackers wanted at least $100,000, however, and threatened to release the data they'd stolen if Uber didn't pay up. The former security chief paid them the amount they demanded in bitcoin and made it appear as if they'd been paid under the bug bounty program — an action reportedly sanction by then Uber chief executive Travis Kalanick. He also tracked them down and made them sign nondisclosure agreements.

The former executive's camp argued that Sullivan felt Uber's user data was protected after the hackers signed an NDA. "Mr. Sullivan believed that their customers’ data was safe and that this was not some incident that needed to be reported. There was no coverup and there was no obstruction," his lawyer David Angeli said. But prosecutors disagreed and viewed his use of NDAs as a way to cover up the incident. Further, they stressed that the incident shouldn't have been qualified for a payout under the bug bounty program, which is meant to reward friendly security researchers, when the bad actors threatened to release users' personal information if they didn't get paid the amount they wanted.

In the end, the jury agreed with the prosecutors that Sullivan should have notified the FTC about the data breach. It wasn't until Dara Khosrowshahi took over as CEO that the FTC was informed of the event. A sentence hasn't been handed down yet, but Sullivan now faces five years in prison for obstruction and up to three more years for failing to report a felony. 

Two of the eBay executives who were charged for staging a cyberstalking campaign against the creators of the eCommerceBytes newsletter have been sentenced to prison. The Justice Department says that these execs, along with five other former eBay employees, worked together to intimidate David and Ina Steiner. They apparently hatched a scheme targeting the Steiners shortly after Ina published an article in their newsletter about a lawsuit eBay filed accusing Amazon of poaching its sellers. David said the people involved in their harassment made their lives "a living hell."

James Baugh, eBay's former senior director of safety and security, was sentenced to almost five years in prison and was ordered to pay a fine of $40,000. Meanwhile, David Harville, eBay's former Director of Global Resiliency and the last person in the case who pleaded guilty, got a two-year sentence and was ordered to pay a $20,000 fine. 

According to the DOJ, the group sent disturbing deliveries to the couple's home, including "a book on surviving the death of a spouse, a bloody pig mask, a fetal pig, a funeral wreath and live insects." They also sent the couple threatening Twitter messages and posted on Craigslist to invite the public to partake in sexual encounters at the victims' home. Authorities also said that Baugh, Harville and another eBay employee monitored the couple's home in person with the intention of attaching a GPS tracker to their car. 

Based on the case's court documents, David Wenig, who was eBay's CEO at the time, sent another top exec a message that said "If you are ever going to take her down ... now is the time" 30 minutes after Ina's post was published. In turn, that executive sent Wenig's message to Baugh, adding that Ina was a "biased troll who needs to get BURNED DOWN." As The Washington Post notes, Wenig was not charged in the case but is facing a civil lawsuit from the Steiners, who accused him of attempting to "intimidate, threaten to kill, torture, terrorize, stalk and silence them." He denied any knowledge of the harassment campaign. 

As for Baugh and Harville, both asked the Steiners for forgiveness, according to The Post. "I take 100% responsibility for this, and there is no excuse for what I have done. The bottom line is simply this: If I had done the right thing and been strong enough to make the right choice, we wouldn’t be here today, and for that I am truly sorry," Baugh said.

Police in the UK have arrested a 17-year-old suspected hacker. Reports suggest the arrest is connected to the Rockstar Games hack that led to a major Grand Theft Auto VI leak. The individual may have been involved with an intrusion on Uber as well.

According to journalist Matthew Keys' sources, the arrest is the result of an investigation involving the City of London Police, the UK's National Cyber Crime Unit and the FBI. Keys noted that the police and/or the FBI will reveal more details about the arrest later today. The City of London Police told Engadget it had "no further information to share at this stage."

The GTA VI leak is unquestionably one of the biggest in video game history. Last weekend, the hacker shared a trove of footage from a test build of the game, which is one of the most hotly anticipated titles around. Rockstar, which tends to keep a tight lid on its development process, confirmed on Monday that the leak was legitimate. It said the incident won't impact work on the game and that it will "properly introduce" fans to the next title in the blockbuster series once it's ready.

Uber was also subject to a cybersecurity incident this month. The company said this week that the hacker in question didn't access user accounts but, as of Monday, it was still trying to determine the impact of the intrusion. Uber also noted reports suggesting that the same person or group might have been responsible for the Rockstar hack. In addition, it said the perpetrator may be connected to the Lapsus$ hacking group.

The 17-year-old was arrested in Oxfordshire, where one of the leaders of Lapsus$ is said to live. In March, BBC News reported that a 16-year-old from Oxford (who may have had a birthday since then) had been identified by researchers and hackers as having ties to the group. That same month, City of London Police arrested seven teenagers with alleged ties to Lapsus$, but it wasn't confirmed if the Oxford teen was among them. Lapsus$ has also targeted the likes of Microsoft, Okta and T-Mobile.

Amazon lockers are already supposed to fend off package thieves, but some now perhaps have an extra layer of security. Washington DC is the first city in the US to test Amazon lockers at police stations. This week, Metropolitan Police Department installed the lockers at two sites in the city. The department and Amazon plan to position lockers at more stations if the pilot goes well, according to Washingtonian.

On the surface, it's a logical move to vex porch pirates. It's unlikely that anyone would try pinching a package from a police station. It's a little odd to imagine someone being released from custody only to pick up a package before they leave a police station.

Amazon already has several ties to law enforcement agencies. Earlier this summer, it emerged that the company has given police footage from Ring cameras on at least 11 occasions without a court order or user consent. Law enforcement was also able to use Amazon's facial recognition tech for a time. The company enacted a one-year ban on police use of Rekognition in 2020, and it extended that measure indefinitely last year.

Back in 2018, former Apple employee Xiaolang Zhang was arrested at San Jose International Airport where he was going to board a last-minute flight to China. Zhang was accused of transferring a 25-page document that includes the engineering schematics of a circuit board for the company's self-driving vehicle, along with technical manuals describing Apple's prototype, to his wife's laptop. He was also accused of stealing circuit boards and a Linux server from the company's development labs. Now, Zhang has pleaded guilty to a felony charge of theft of trade secrets in San Jose federal court, according to CNBC.

The news organization has obtained a court document (PDF) summarizing the proceedings in which Zhang changed his plea — he originally pleaded not guilty when he was indicted in 2018. In it, the court has noted that his plea agreement is under seal and that his sentencing is scheduled on November 14th. Zhang faces up to ten years in prison and could pay up to $250,000 in fine.

Before his arrest, Zhang worked as a hardware engineer in Apple's autonomous vehicle division and was part of the team that designs and tests circuit boards for sensors. As CNBC notes, circuit designs are typically considered some of the most valuable trade secrets in electronics. Apple reportedly first suspected Zhang of stealing from the company when he turned in his resignation following a paternity leave and a trip to China. He told the company that he was resigning so he could move back to China and take care of his mother. 

Zhang also told Apple that he was planning to work with XPeng Motors, an electric vehicle manufacturer that's also developing its own autonomous driving technology. His access to Apple's resources was cut off after he resigned, and an investigation followed soon after. It was through that investigation that Apple discovered that he transferred gigabytes' worth of top secret files via AirDrop and saw him physically taking hardware from the company's labs via CCTV footage.

Meanwhile, the tech giant remains as secretive about its autonomous vehicle development progress as ever. Last year, Bloomberg's Mark Gurman reported that Apple decided to focus on developing full self-driving capabilities and that the company is aiming to launch its autonomous electric vehicle in 2025. 

An alleged developer of the Tornado Cash cryptocurrency mixing service has been arrested in the Netherlands. The Fiscal Information and Investigation Service (FIOD), a government agency that investigates financial crimes, said the 29-year-old man is suspected of "involvement in concealing criminal financial flows and facilitating money laundering through the mixing of cryptocurrencies." The suspect was due to appear before a judge today.

The FIOD started investigating Tornado Cash in June and its Financial Advanced Cyber Team suspects that the platform has been used to conceal the flow of criminal funds on a large scale, including illicit gains from crypto hacks and scams. The agency found that, since the platform launched in 2019, at least $1 billion of crypto of "criminal origin" has been funneled through Tornado Cash, with the service's creator believed to "have made large-scale profits from these transactions."

Earlier this week, the US government sanctioned Tornado Cash, a move that prohibits anyone in the country from carrying out any transactions on the service. The Treasury Department claimed that over $7 billion worth of crypto has been laundered through Tornado Cash, including $455 million stolen by North Korea's state-backed Lazarus Group hacking collective.

At least one former Twitter employee is facing prison time for allegedly helping Saudi Arabia spy on critics. Bloombergreports a jury in San Francisco has convicted US resident Ahmad Abouammo of serving as an agent for Saudi Arabia, as well as falsifying records, money laundering and conspiracy to commit wire fraud. According to prosecutors, Abouammo took bribes in 2015 from a key aide to Saudi Crown Prince Mohammed bin Salman, Bader Al Asaker, in return for sensitive account info that could be used to track and silence dissidents.

The one-time media partnership manager said that he was only doing his job. However, the prosecution showed evidence that Abouammo received $300,000 and a $20,000 Hublot watch from the aide.

Abouammo will be sentenced to between 10 and 20 years in prison. He and his legal team have declined to comment. However, defense attorney Angela Chuang argued in court that the conviction is a consolation prize meant to "save face" for government officials and Twitter. The US supposedly let its main target, former Twitter engineer Ali Alzabarah, flee to Saudi Arabia. A third suspect outside of Twitter, Ahmed Almutairi, is believed to have acted as a go-between before he left for Saudi Arabia.

The case highlights concerns about the potential for staff at social media companies to abuse account information. Twitter previously said it limited data access to vetted employees and had "tools in place" to protect privacy, but those safeguards clearly failed. There are still concerns internet firms may need to further tighten security to prevent similar misuses.

The US is ramping up its efforts to crack down on shady cryptocurrency mixers. The Treasury Department has imposed sanctions on Tornado Cash, a mixer that allegedly helped launder more than $7 billion in stolen crypto funds since its inception in 2019. Like a previous sanctions target, Blender, Tornado Cash is accused of "indiscriminately" helping thieves by hiding transaction details while failing to institute meaningful anti-laundering safeguards. North Korea's state-sponsored Lazarus Group hackers are believed to have funneled $455 million through the mixer.

The sanctions block transactions with or for the benefit of Tornado Cash-related individuals and entities, whether they're located in the US or controlled by Americans. Anyone who detects banned activity is required to inform the Treasury's Offices of Foreign Assets Control.

Tornado Cash runs on the Ethereum blockchain. Officials said the mixer played a role in other large-scale thefts, including the Harmony Bridge heist (where it laundered $96 million) from June and this month's Nomad attack (involving "at least" $7.8 million).

The government has taken legal action against crypto mixers for years. Federal law enforcement charged an Ohio man in 2020 for running a darknet mixer that helped criminals launder $300 million. The Treasury only started sanctioning mixers when it blocked Blender this May, however. The US now believes criminal-friendly mixers are a national security threat, and hopes efforts like these will curb both terrorism as well as attempts to dodge conventional sanctions.

It's a day of the week ending in the letter "y," which inevitably means there's news of anothermessysaga in the cryptocurrency world. The Securities and Exchange Commission has charged 11 people who allegedly set up and promoted Forsage, which it said was a crypto Ponzi scheme that pulled in over $300 million from retail investors.

The agency asserts that Forsage enabled millions of people to engage in transactions through smart contracts on the Ethereum, Tron, and Binance blockchains. It alleged that Forsage had essentially been operating as a pyramid scheme for over two years, wherein the main way for investors to make money was by luring other people into the scheme. “Fraudsters cannot circumvent the federal securities laws by focusing their schemes on smart contracts and blockchains," Carolyn Welshhans, acting chief of the SEC’s Crypto Assets and Cyber Unit, said in a statement.

"Forsage is a textbook pyramid and Ponzi scheme," the SEC's complaint reads. "It did not sell or purport to sell any actual, consumable product to bona fide retail customers during the relevant time period and had no apparent source of revenue other than funds received from investors."

Four of those charged are Forsage's founders, who were last known to be living in Russia, the Republic of Georgia and Indonesia. The SEC also charged three promoters based in the US, who the founders allegedly recruited to endorse Forsage on its website and social media. Several members of a group called Crypto Crusaders, a group that promoted the scheme, were charged with violating the registration and anti-fraud provisions of federal securities laws as well. Two defendants have agreed to settle the charges without admitting or denying the allegations.

As CNBC notes, Forsage's founders launched the platform in January 2020. Regulators in the Philippines and Montana tried to shut it down with cease-and-desist actions. The SEC alleged that the defendants continued to promote Forsage while denying claims made against the platform in YouTube videos.

The US federal courts' document filing system was attacked by three hostile foreign actors, House Judiciary Committee Chair Jerrold Nadler has told fellow lawmakers. According to Politico, Nadler made the first public disclosure of the cyberattack at a committee hearing on oversight of the Justice Department’s National Security Division (NSD). The attack happened as part of a bigger security breach that led to a "system security failure" way back in 2020. Nadler has admitted during the hearing, however, that the committee only learned about the "startling breadth and scope" of the breach this March. 

Matthew Olsen, the Assistant Attorney General for National Security, has testified at the hearing and said his division is "working very closely with the judicial conference and judges around the country to address this issue." As you can guess, lawmakers are worried about how many cases were impacted by the breach and how exactly the issue had affected them. "[T]his is a dangerous set of circumstances that has now been publicly announced, and we need to know how many…were dismissed," committee member Rep. Sheila Jackson Lee told Olsen. When asked if the breach had affected any of the cases the NSD had handled, Olsen said he couldn't think of any in particular. 

There's still a lot of information about the breach that's kept under wraps — Senator Ron Wyden even wrote to the Administrative Office of the US Courts to express concerns about the fact that "the federal judiciary has yet to publicly explain what happened and has refused multiple requests to provide unclassified briefings to Congress." As Politico notes, though, the US Courts admitted in January 2021 that its Case Management/Electronic Case Files system was breached and even changed its filing procedures for sensitive documents. The publication also points out that this breach wasn't a part of the massive SolarWinds hacks, which are being blamed on a Russian state-sponsored group known as Nobelium.

Olsen said the Justice Department's investigators will keep the committee updated about any new developments, so we'll likely hear more information about the data breach in the future.