Uber’s former chief security officer has been charged with obstruction of justice over accusations that he attempted to cover up a 2016 hack of the company, which exposed the personal details of 57m users and drivers.
Prosecutors said Joseph Sullivan, 52, hid the breach from the relevant authorities, and instead paid a ransom to the hackers and had them sign non-disclosure agreements stating, falsely, that they had not stolen personal information.
“The agreements contained a false representation that the hackers did not take or store any data,” prosecutors said in a press release. “When an Uber employee asked Sullivan about this false promise, Sullivan insisted that the language stay in the non-disclosure agreements.”
A spokesman for Mr Sullivan said the charges were without merit.
“From the outset, Mr Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies,” the spokesman said.
“Those policies made clear that Uber’s legal department — and not Mr Sullivan or his group — was responsible for deciding whether, and to whom, the matter should be disclosed.”
Mr Sullivan, who worked at Facebook prior to Uber, is said to have authorised the payment to the hackers of $100,000 in bitcoin, disguising the fee as coming via the company’s legitimate “bug bounty” programme — normally used to pay well-intentioned cyber security experts for discovering flaws and vulnerabilities.
It was not until November 2017, almost a year after Mr Sullivan allegedly knew the attack took place, that Uber revealed its knowledge of the breach and Mr Sullivan was dismissed.
“None of this should have happened, and I will not make excuses for it,” chief executive Dara Khosrowshahi said at the time, which was shortly after he took over from ousted co-founder Travis Kalanick.
Investigators said Mr Sullivan took “deliberate steps” to conceal the breach and his subsequent actions from the new chief executive, as well making sure that the Federal Trade Commission — which at the time was already in contact with Uber about an earlier hack in 2014 — did not find out about the latest security lapse.
“Silicon Valley is not the Wild West,” said US attorney David Anderson. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect co-operation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”
Uber said it was continuing to support the DoJ’s investigation. It paid $148m in 2018 to resolve claims that it intentionally concealed the breach, which were brought by all 50 states and Washington DC.
Prosecutors said the two hackers involved in the breach, who were eventually identified by Mr Sullivan, pleaded guilty to computer fraud conspiracy charges and are currently awaiting sentencing in California. Investigators said the pair had gone on to target other technology companies after the Uber hack.
Get alerts on Cyber Security when a new story is published