Uber's former chief security officer charged with attempting to cover up massive hack
Uber's former chief security officer has been charged with leading an alleged attempt to cover up a 2016 hack that exposed the personal information of 57 million app users and drivers, the Department of Justice announced Thursday. Joseph Sullivan has been charged with obstruction of justice and misprision of a felony, which refers to concealing knowledge of a felony from law enforcement officials.
The complaint alleges that on November 14, 2016 — 10 days after Sullivan had testified to the Federal Trade Commission about a previous data breach — a hacker told Sullivan that he had been able to breach the company's system. But rather than report that to the commission, as he is legally required to do, Sullivan "allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC."
"Witnesses reported Sullivan was visibly shaken by the events," the complaint said. "A witness also reported that Sullivan stated in a private conversation that he could not believe they had let another breach happen and that the team had to make sure word of the breach did not get out."
The complaint accuses Sullivan of paying the two hackers $100,000 in bitcoin through a "bug bounty" program — a legal program designed to reward those who point out a company's security flaws — even though the hackers had stolen data, which violates the program's terms and conditions. It also claims that Sullivan sought to have the hackers sign non-disclosure agreements that said that they did not steal or store any data, even though both he and the hackers knew this to be false.
After Uber came under new management in 2017, executives discovered the breach and disclosed it to the FTC, according to the complaint.
In response to the charges, Uber told CBS News that "We continue to cooperate fully with the Department of Justice's investigation. Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability."
The complaint also alleges that Sullivan misled the company after it had discovered the breach by failing to disclose crucial details about the hack. When preparing a brief for the new CEO, Sullivan allegedly edited his team's draft to remove details about what the hackers had stolen and falsely state that the hackers had only been paid after they were identified.
Sullivan was eventually fired, the complaint states.
The two hackers responsible for the breach pled guilty on October 30, 2019. The complaint states that "both [hackers] chose to target and successfully hack other technology companies and their users' data" after Sullivan did not alert authorities to the breach at Uber.
"Silicon Valley is not the Wild West," U.S. Attorney David Anderson said in the Department of Justice's statement. "We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments."
A spokesperson for Sullivan told CBS News that "there is no merit to the charges," adding, "If not for Mr. Sullivan's and his team's efforts, it's likely that the individuals responsible for this incident never would have been identified at all."
The spokesperson also claimed Sullivan "collaborated closely with legal, communications and other relevant teams at Uber," and that the company's legal department "was responsible for deciding whether, and to whom, the matter should be disclosed."
If convicted, Sullivan would face a maximum of five years in prison for the obstruction charge and three years for the misprision charge.
