Uber’s former chief security officer has been charged with leading an alleged attempt to cover up a 2016 hack that revealed the personal details of 57 million app users and drivers, the Department of Justice declared Thursday.
Joseph Sullivan has been charged with obstruction of justice and misprision of a felony, which refers to hiding knowledge of a felony from law enforcement officials.
The complaint accuses that on November 14, 2016 — 10 days after Sullivan had testified to the Federal Trade Commission (FTC) about an earlier data breach — a hacker informed Sullivan that he had been able to violate the company’s system. But instead of reporting that to the commission, as he is legally required to do, Sullivan “allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC”.
“Witnesses reported Sullivan was visibly shaken by the events,” the complaint noted. “A witness also reported that Sullivan stated in a private conversation that he could not believe they had let another breach happen and that the team had to make sure word of the breach did not get out.”
The complaint alleges Sullivan of paying the two hackers $100,000 in bitcoin through a “bug bounty” program — a legal program made for rewarding those who point out a company’s security flaws — even though the hackers had stolen data, which breached the program’s terms and conditions. It also alleges that Sullivan sought to have the hackers sign non-disclosure agreements that said that they did not steal or store any data, even though both he and the hackers were aware of this to be false.
After Uber came under new management in 2017, executives found the breach and revealed it to the FTC, according to the complaint.
Uber has said that they are fully cooperating with the Department of Justice’s investigation.
The complaint also alleges that Sullivan deceived the company after it had found the breach by failing to reveal important details about the hack. When preparing a brief for the new CEO, Sullivan allegedly modified his team’s draft to remove details regarding what the hackers had stolen and falsely state that the hackers had only been paid after they were identified.
Sullivan was eventually eliminated, the complaint notes.
The two hackers who were responsible for the breach pled guilty on October 30, 2019. The complaint noted that “both [hackers] chose to target and successfully hack other technology companies and their users’ data” after Sullivan did not alert officials to the breach at Uber.
“Silicon Valley is not the Wild West,” said U.S. Attorney David Anderson in the statement of the Department of Justice. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush-money payments.”
A spokesperson for Sullivan sees no merit in these allegations and said that if it weren’t for Sullivan and his team then it’s likely that the individuals responsible for this incident would have been never identified.
The spokesperson also claimed Sullivan collaborated with legal, communications, and others at Uber relevant to the case, and that the company’s legal department was responsible for making a decision about to whom, the matter should be disclosed.
If convicted, Sullivan would face a maximum of five years in jail over the obstruction charge and three years for the misprision charge.