Uber’s former chief security officer Joe Sullivan (pictured) was charged with obstructing justice and concealing a felony on Thursday
Uber’s former chief security officer has been charged with allegedly trying to cover up a data breach that exposed the email and phone numbers of 57 million drivers and passengers.
Federal prosecutors on Thursday charged Joe Sullivan, 52, with obstructing justice and concealing a felony in connection to the 2016 hack.
Sullivan, who served as the company’s security officer from 2015 to 2017, is accused of taking ‘deliberate steps to conceal, deflect, and mislead’ the Federal Trade Commission, as well as his own colleagues, about the breach.
According to a criminal complaint filed in a California federal court on Wednesday, Sullivan had funneled hackers $100,000 in Bitcoin in December 2016 in exchange for their silence before making them sign a non-disclosure agreement.
The cyber attack had come to light on November 14 that year – just 10 days after Sullivan had testified in an FTC investigation into another Uber hack that occurred in September 2014.
Prosecutors said two hackers, identified last year as Brandon Glover, 26, and Vasile Mereacre, 23, demanded the six-figure sum after emailing Sullivan informing him of the breach.
Sullivan is accused of trying to cover up a data breach in 2016 that exposed the email and phone numbers of 57million Uber drivers and passengers (stock photo)
U.S. Attorney David Anderson announced the criminal charges against Sullivan on Thursday. Prosecutors said Sullivan allegedly paid hackers $100,000 in exchange for their silence
They told the executive they had accessed and downloaded an Uber database containing personally identifying information of 57 million users.
The database included the driver’s license numbers for approximately 600,000 people who drove for Uber, according to prosecutors.
The criminal complaint states Sullivan had been’ visibly shaken’ by the hack and allegedly told his team he couldn’t believe they had let another breach happen and had them make sure word of the attack did not get out.
‘Rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC,’ prosecutors said on Thursday.
Sullivan is accused of paying them off using a bug bounty program, in which a third party intermediary arranges payment to ‘white hat’ hackers who point out security flaws for companies without compromising the data themselves.
Using bug bounties is not uncommon for some tech companies, however a six-figure payment for the service is not standard practice.
Prosecutors claim Sullivan sent the money over despite the fact that the hackers refused to provide their true names.
The confidentiality agreements also falsely claimed the hackers had not taken or stored any of the data.
When the company finally identified the perpetrators, Sullivan allegedly made the two men sign new NDAs with their real names but retained the false line that they hadn’t taken any information, according to prosecutors.
Following Uber founder and former chief executive Travis Kalanick’s departure, Sullivan briefed new CEO Dara Khosrowshahi about the 2016 attack in an email prepared by his team in September 2017.
Sullivan, however, edited the message to remove the fact that the hackers had indeed obtained data and lied saying they had only paid the men off after they were identified, prosecutors said.
Sullivan’s alleged scheme was exposed in November 2017 after Dara Khosrowshahi (left) was named CEO, following Travis Kalanick’s (right) departure
The deal was eventually exposed in November 2017 and reported to the FTC. Sullivan was fired the same month.
Details of the breach were also released to the public in a statement, in which Khosrowshahi acknowledged the company’s ‘failure’ to notify the affected individuals earlier.
‘Silicon Valley is not the Wild West,’ U.S. Attorney David L Anderson said after announcing the charges on Thursday.
‘We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations.
‘We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.’
In 2018, Sullivan denied he was involved in concealing the hack telling the NYT: ‘I was surprised and disappointed when those who wanted to portray Uber in a negative light quickly suggested this was a cover-up.’
Sullivan’s initial federal court appearance has not yet been scheduled.
Meanwhile, Glover, of Winter Springs, Florida, and Mereacre, of Toronto, are awaiting sentencing after pleading guilty to computer fraud conspiracy charges in October last year.
According to the plea agreements, Uber agreed to pay the men in two payments of $50,000 after three weeks of negotiation.
By January 2017, the company contacted the hackers again to tell them they had discovered Glover’s real identity.
An Uber exec later met with Glover at his Florida home where he was made to sign another confidentiality agreement.
Mereacre was later asked to do the same during a separate meeting in a Toronto hotel days later, prosecutors said.