Former Uber security officer charged with covering up 2016 data hack

Joseph Sullivan paid hackers $100,000 to keep silent about the hack

The US Department of Justice has charged Uber Technologies' former chief security officer for paying hackers to cover up a 2016 data breach that affected nearly 57 million customers and drivers of the company.

On Thursday, the Justice Department filed a criminal complaint in the in US District Court in San Francisco, charging Joseph Sullivan, 52, with "obstruction of justice and misprision of a felony in connection with the attempted cover-up of the 2016 hack at Uber."

The Department said that instead of reporting the data breach to the Federal Trade Commission, which was already probing an earlier hack at Uber, Sullivan arranged to pay the hackers $100,000 in exchange for keeping silent on the hack.

Sullivan served as Uber's Chief Security Officer between April 2015 and November 2017. He joined Uber after leading cybersecurity efforts at social media giant Facebook.

During Sullivan's tenure at Uber, two hackers attacked the company's database and were able to download confidential files containing personal information of Uber's customers and drivers, including the driving licence details of nearly 600,000 drivers.

After stealing the data, the hackers contacted Sullivan through email and demanded a six-figure payment. As per court documents, Sullivan arranged to pay $100,000 (in bitcoins) to the hackers under Uber's bug bounty programme, which was not meant to cover theft of the firm's confidential data.

Sullivan also asked the hackers to sign non-disclosure agreements that wrongly stated they had not stolen data from Uber.

The complaint also alleges that then-CEO Travis Kalanick was aware of Sullivan's actions.

Sullivan was fired from the company after Uber hired Dara Khosrowshahi as new CEO in 2017. Khosrowshahi later fired another senior executive after learning the extent of the hack.

Uber had to pay $148 million to settle claims by all 50 US states and Washington, D.C. that it was slow to disclose the breach.

The company was also fined by the UK Information Commissioner's Office and the Dutch Data Protection Authority for failing to protect customers' personal information.

The hackers who conducted the hack were eventually identified and prosecuted in the Northern District of California. They pleaded guilty to computer fraud charges in 2019.

If Sullivan is convicted in the case, he could face up to eight years in prison.

Bradford Williams, spokesman for Sullivan, said that his client had acted with the approval of Uber's legal department, and there was no merit to the charges against him.

Williams added that it was the responsibility of Uber's legal department to decide "whether, and to whom, the matter should be disclosed."