Uber’s
former chief security officer, who allegedly paid off hackers to keep a massive
data breach secret, has been charged with obstruction of justice and misprision
of a felony. The 52-year-old faces up to 8 years behind bars for his crimes.
The U.S.
Department of Justice this week announced that Joseph Sullivan of Palo Alto,
California, allegedly took “deliberate steps to conceal, deflect, and mislead”
the Federal Trade Commission about the widely circulated hack of Uber
Technologies Incorporated in 2016.
As some
readers will remember, four years ago, two hackers breached a database owned by
the ride-hailing firm and stole personally identifying information associated
with approximately 57 million Uber users and drivers. The duo allegedly
contacted Sullivan by email and demanded a six-figure payment in exchange for
silence. Sullivan, according to the complaint, paid the hackers $100,000.
The exec
sought to conceal the payment through a rigged bug-bounty program in which he
artificially enrolled the hackers, despite not knowing their real names. Uber
management ultimately discovered Sullivan’s attempt to conceal the hack and
hide critical details about the affected data and made the tough decision to
alert authorities about the breach.
The DOJ
press release describes, in fine detail, Sullivan’s convoluted attempts to
conceal the incident and deceive Uber management about the event:
“In
addition, Sullivan sought to have the hackers sign non-disclosure agreements.
The agreements contained a false representation that the hackers did not take
or store any data. When an Uber employee asked Sullivan about this false
promise, Sullivan insisted that the language stay in the non-disclosure
agreements. Moreover, after Uber personnel were able to identify two of the
individuals responsible for the breach, Sullivan arranged for the hackers to
sign fresh copies of the non-disclosure agreements in their true names. The new
agreements retained the false condition that no data had been obtained. Uber’s
new management ultimately discovered the truth and disclosed the breach
publicly, and to the FTC, in November 2017.”
“The
criminal complaint also alleges Sullivan deceived Uber’s new management team
about the 2016 breach. Specifically, Sullivan failed to provide the new
management team with critical details about the breach. In August of 2017, Uber
named a new Chief Executive Officer. In September 2017, Sullivan briefed Uber’s
new CEO about the 2016 incident by email. Sullivan asked his team to prepare a
summary of the incident, but after he received their draft summary, he edited
it. His edits removed details about the data that the hackers had taken and
falsely stated that payment had been made only after the hackers had been
identified.”
The two
hackers were prosecuted last year after pleading guilty to all charges. They
now await sentencing, the DOJ says.
As for
Sullivan, he is charged with obstructing justice and misprision of a felony,
carrying penalties of five and three years, respectively. Sullivan’s initial
federal court appearance has not yet been scheduled.
In 2018, the
Information Commissioner’s Office (ICO) in the UK fined the ride-sharing company £385,000 for the breach,
which translated into around $490,000 at that time. Had the violation occurred
after the GDPR took effect in May 2018, the penalty could have been up to 200
times larger. Around the same time, the Netherlands fined Uber as well,
€600,000, through its data protection authority, Autoriteit Persoonsgegevens.