A former Uber top security official covered up a 2016 cyber breach affecting nearly 60 million of the ride-share company’s customers and drivers as part of a pay-off scheme to hide the hacking, the U.S. Department of Justice charged in a felony complaint filed in federal court.
According to the filing, Joseph Sullivan, who served as Uber’s chief security officer from April, 2015 to November, 2017, took “deliberate steps to conceal, deflect and mislead” the Federal Trade Commission (FTC) about the security lapse and the theft of personal data. The two hackers who inflicted the damage by accessing and downloading an Uber database that included the drivers’ licenses of 600,000 drivers, allegedly contacted Sullivan by email and demanded a six-figure pay off to stay silent about the cyber break-in, according to the complaint.
Sullivan attempted to pay off the hackers with funds designated for Uber’s bug bounty program, Justice said. Uber ultimately paid the hackers $100,000 in BitCoin in December, 2016 and Sullivan got them to sign non-disclosure agreements that falsely stated they had not stolen any data. The case is unusual in that bug bounties are not known as hush money pay offs for cyber crooks but instead are meant to reward white-hat hackers for discovering vulnerabilities ahead of cyber attacks. It's not clear, however, if other companies have engaged in under-the-table deals or if this case is a one-off event.
The criminal complaint also alleges that “Sullivan failed to provide the new executive management team with critical details about the breach” and then Uber chief executive Travis Kalanick knew of his actions. Justice said it smoked out the scheme when current Uber chief Dara Khosrowshahi disclosed the payoff, then fired Sullivan and a deputy after learning the extent of the breach. Uber subsequently paid out nearly $150 million to settle claims by all 50 U.S. states and Washington, D.C. that it had failed to reveal the breach in a timely manner.
“Silicon Valley is not the Wild West,” said U.S. Attorney David Anderson. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”
As for the hackers, both pleaded guilty in October, 2019, to computer fraud conspiracy charges. The criminal complaint makes clear that “both chose to target and successfully hack other technology companies and their users’ data” after Sullivan failed to advise law enforcement of the security breach.
A spokesperson for Sullivan told Reuters that disclosure matters were decided by the Uber legal department and denied the case had merit. “If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all,” the spokesperson said.
Sullivan now works as chief information security officer at Cloudflare.