The Justice Department (DOJ) has filed charges against Uber’s former security chief for allegedly attempting to conceal a 2016 hack that exposed the email addresses and phone numbers of 57 million drivers and passengers.
Prosecutors accuse Joseph Sullivan, who was Uber’s chief security officer from April 2015-November 2017, of not disclosing the 2016 hacking incident to federal investigators who were looking into another data breach that had occurred two years earlier.
In 2016 hackers obtained access to Uber’s user data and asked for a six-figure ransom. Sullivan and other Uber executives allegedly negotiated a $100,000 bitcoin payment in December 2016 and asked the hackers to sign nondisclosure agreements.
The complaint claims Sullivan took deliberate steps to conceal, deflect and mislead the Federal Trade Commission (FTC) about the breach while they were investigating the earlier data breach. He allegedly lied to prosecutors and other top Uber employees tasked with communicating with the FTC as well.
“Silicon Valley is not the Wild West,” said U.S. Attorney David Anderson in a statement. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”
If found guilty, Sullivan faces up to eight years in prison, as well as potential fines of up to $500,000.
In a statement to The Hill, Sullivan’s attorney, Bradford Williams, denied any wrongdoing.
“From the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies,” Williams said. “Those policies made clear that Uber’s legal department — and not Mr. Sullivan or his group — was responsible for deciding whether, and to whom, the matter should be disclosed.”
Uber sought to handle the issue through a so-called bug bounty program, in which a third-party intermediary arranges payment to hackers who point out security issues but have not actually compromised data.
The ride-share company did not disclose the breach until November 2017 while under new management. Dara Khosrowshahi, Uber’s current chief, ousted Sullivan and Uber’s legal director of security and law enforcement, Craig Clark.
Uber settled with the FTC and agreed to audits of its privacy and security systems every two years for the next two decades. The company also paid $148 million penalty to settle lawsuits brought by all 50 states and the District of Columbia.
In October, Brandon Glover, a Florida resident, and Vasile Mereacre, a Canadian national, pleaded guilty to the hack.