Uber’s former chief security officer, who allegedly paid off hackers to keep a massive data breach secret, has been charged with obstruction of justice and misprision of a felony. The 52-year-old faces up to 8 years behind bars for his crimes.
The U.S. Department of Justice this week announced that Joseph Sullivan of Palo Alto, California, allegedly took “deliberate steps to conceal, deflect, and mislead” the Federal Trade Commission about the widely circulated hack of Uber Technologies Incorporated in 2016.
As some readers will remember, four years ago, two hackers breached a database owned by the ride-hailing firm and stole personally identifying information associated with approximately 57 million Uber users and drivers. The duo allegedly contacted Sullivan by email and demanded a six-figure payment in exchange for silence. Sullivan, according to the complaint, paid the hackers $100,000.
The exec sought to conceal the payment through a rigged bug-bounty program in which he artificially enrolled the hackers, despite not knowing their real names. Uber management ultimately discovered Sullivan’s attempt to conceal the hack and hide critical details about the affected data and made the tough decision to alert authorities about the breach.
The DOJ press release describes, in fine detail, Sullivan’s convoluted attempts to conceal the incident and deceive Uber management about the event:
“In addition, Sullivan sought to have the hackers sign non-disclosure agreements. The agreements contained a false representation that the hackers did not take or store any data. When an Uber employee asked Sullivan about this false promise, Sullivan insisted that the language stay in the non-disclosure agreements. Moreover, after Uber personnel were able to identify two of the individuals responsible for the breach, Sullivan arranged for the hackers to sign fresh copies of the non-disclosure agreements in their true names. The new agreements retained the false condition that no data had been obtained. Uber’s new management ultimately discovered the truth and disclosed the breach publicly, and to the FTC, in November 2017.”
“The criminal complaint also alleges Sullivan deceived Uber’s new management team about the 2016 breach. Specifically, Sullivan failed to provide the new management team with critical details about the breach. In August of 2017, Uber named a new Chief Executive Officer. In September 2017, Sullivan briefed Uber’s new CEO about the 2016 incident by email. Sullivan asked his team to prepare a summary of the incident, but after he received their draft summary, he edited it. His edits removed details about the data that the hackers had taken and falsely stated that payment had been made only after the hackers had been identified.”
The two hackers were prosecuted last year after pleading guilty to all charges. They now await sentencing, the DOJ says.
As for Sullivan, he is charged with obstructing justice and misprision of a felony, carrying penalties of five and three years, respectively. Sullivan’s initial federal court appearance has not yet been scheduled.
In 2018, the Information Commissioner’s Office (ICO) in the UK fined the ride-sharing company £385,000 for the breach, which translated into around $490,000 at that time. Had the violation occurred after the GDPR took effect in May 2018, the penalty could have been up to 200 times larger. Around the same time, the Netherlands fined Uber as well, €600,000, through its data protection authority, Autoriteit Persoonsgegevens.