The U.S. Attorney’s Office in the Northern District of California has filed a criminal complaint against Joseph Sullivan -- Uber’s former Chief Security Officer -- for allegedly hiding details of a 2016 data breach from the Federal Trade Commission (FTC).
The complaint states that Sullivan was contacted by two hackers who told him that they had accessed and downloaded personal information about 57 million Uber users and drivers. Instead of relaying this information to government officials, regulators say that Sullivan purposely misled the FTC and Uber leadership about the breach and paid the hackers $100,000 in Bitcoin to keep them quiet.
“Silicon Valley is not the Wild West. We expect corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments,” said U.S. Attorney David L. Anderson.
Payoffs through bug bounty program
Sullivan allegedly became embroiled in this deception after being selected as the Uber official in charge of responding to the FTC’s written questions about a separate breach that Uber experienced in 2014. However, only days before he was scheduled to give sworn testimony about that breach, Sullivan received an email from two hackers who claimed to have infiltrated Uber again in 2016.
After receiving the message, Sullivan allegedly tried to pay the hackers off through Uber’s bug bounty program and demanded that they sign a non-disclosure agreement which falsely claimed that the duo had not taken or stored any of the stolen data. Uber finally came clean about the supposed incident after coming under new management in 2017 and worked with law enforcement officials so that the two hackers could be prosecuted.
The charges against Sullivan include obstruction of justice and misprision of a felony. If convicted on both counts, he could face up to eight years in prison.
“Concealing information about a felony from law enforcement is a crime. While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data,” said FBI deputy special agent Craig D. Fair in a statement.