The US Department of Justice has alleged that Joseph Sullivan, the former Chief Security Officer of Uber, has covered up a 2016 hack on the company that compromised data of millions of users and drivers. According to the DOJ, Sullivan paid the hackers $100,000 in Bitcoin.
The announcement from the DOJ informed about a recently filed complaint against Sullivan, who served as Uber’s CSO from April 2015 to November 2017. It charged him with “obstruction of justice and misprision of a felony in connection with the attempted cover-up of the 2016 hack of Uber Technologies Incorporated.”
The hackers had contacted Sullivan at the time and revealed that they had accessed and downloaded an Uber database containing personally identifying information (PII) associated with nearly 60 million Uber users and drivers. That particular database included over 600,000 drivers’ license numbers for people driving for the company.
The hackers demanded a six-figure payment not to go public with the story and share the personal details. According to the complaint, Sullivan failed to contact the proper authorities. Instead, he “took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the breach.”
“Silicon Valley is not the Wild West. We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush-money payments.” – said US Attorney David Anderson.
FBI Deputy Special Agent in Charge Craig Fair asserted that Sullivan’s actions are a crime. He warned other companies not to follow his example as it will only worsen the problem for the firm, the customers, and the authorities.
DOJ’s statement explained that instead of reaching out to the FTC, Sullivan sought to pay the hackers off by funneling the ransom through a bug bounty program. This means employing a third-party intermediary to arrange the entire payment process.
Ultimately, Uber paid the hackers $100,000 in Bitcoin in December 2016, even though the attackers refused to disclose their true names. Sullivan demanded that they sign non-disclosure agreements containing a false representation that the hackers did not take or store any valuable data.
Even when two of the hackers were exposed and arrested, he arranged for them to sign fresh copies of the non-disclose agreements in their actual names. The new agreements retained the false condition that no data had been obtained in the hack.
If convicted, Sullivan could face a maximum statutory penalty of five years in prison for the obstruction charge and a maximum of three years in prison for the misprision charge.
