Joe Sullivan, Uber’s former chief security officer, is facing criminal charges for allegedly covering up a hack at the ride-hailing business in 2016 by concealing the data breach from the FTC.
On Thursday (20 August), the US Department of Justice (DoJ) announced that Uber’s former chief security officer (CSO) Joe Sullivan has been charged with the obstruction of justice. If convicted, he could face up to eight years in prison.
Sullivan, who led Uber’s security team, has been accused of attempting to cover up a 2016 data breach, which exposed the data of 57m Uber customers and drivers. In 2017, Sullivan was fired by Dara Khosrowshahi, who had just taken up the role of CEO at Uber.
According to Bloomberg, it later emerged that the company paid hackers $100,000 to delete the stolen data and keep the breach quiet.
At the time, Khosrowshahi said in a statement: “None of this should have happened and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
‘Silicon Valley is not the wild west’
According to The New York Times, the charges filed against Sullivan are believed to be the first against an executive relating to a company’s response to a security incident.
Prosecutors have said that Sullivan has committed two felonies by failing to disclose the 2016 incident to federal investigators who were looking into a similar data breach that occurred in 2014.
In the DoJ’s statement, the department said: “The criminal complaint alleges that Sullivan took deliberate steps to conceal, deflect and mislead the Federal Trade Commission (FTC) about the breach.”
David Anderson, US attorney in San Francisco, said: “When a company like Uber gets hacked, we expect good corporate citizenship, we expect disclosure to the employee and consumer victims in that hack. In this case, what we saw was the exact opposite of good corporate behaviour.”
Anderson added that “hush money payments” will not be tolerated, as “Silicon Valley is not the wild west.”
Sullivan is the second Uber employee to face federal charges relating to his work at Uber. Former Uber engineer Anthony Levandowski was recently sentenced to 18 months in prison for stealing self-driving car trade secrets from Google.
The alleged cover-up
The DoJ said that rather than reporting the 2016 breach, Sullivan took “deliberate steps” to prevent knowledge of the breach from reaching the FTC.
The department claims that the former CSO attempted to pay hackers by funnelling the payoff through a bug bounty programme, and paid the hackers $100,000 in bitcoin in December 2016, despite the fact that the hackers refused to provide their real names.
Sullivan also allegedly attempted to get the hackers to sign non-disclosure agreements, which contained a false representation that the hackers did not take or store any data. The DoJ complaint also alleges that Sullivan deceived Uber’s new management team by failing to provide them with critical details about the breach.
The DoJ said: “In September 2017, Sullivan briefed Uber’s new CEO about the 2016 incident by email. Sullivan asked his team to prepare a summary of the incident, but after he received their draft summary, he edited it. His edits removed details about the data that the hackers had taken and falsely stated that payment had been made only after the hackers had been identified.”
The two hackers behind the breach were later prosecuted in California in October 2019, pleading guilty to computer fraud conspiracy charges.
The criminal complaint against Sullivan states that both of the hackers chose to target and successfully hack other technology companies and their users’ data after the Uber CSO failed to bring the data breach to the attention of law enforcement.
Sullivan now serves as the chief information officer (CIO) at web infrastructure and website security company Cloudflare. Bradford Williams, a spokesperson for Sullivan, said that he acted with the approval of Uber’s legal department.
Williams said: “If not for Mr Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all. Uber’s legal department – and not Mr Sullivan or his group – was responsible for deciding whether, and to whom, the matter should be disclosed.”