The former chief security officer at Uber has been charged with attempting to cover up a highly damaging 2016 data breach.
Personal data belonging to around 57 million customers and employees was exposed in the 2016 hack, and the ride-hailing company’s reputation was severely damaged when news of the scandal eventually broke.
The US Department of Justice charged Joseph Sullivan with felony obstruction of justice, alleging that he deliberately concealed details of the hack from federal investigators.
Sullivan, who joined Uber in 2015 from Facebook, is also accused of agreeing to pay the hackers $100,000 out of funds from the company’s bug bounty programme, which allows security researchers to report flaws in exchanged for fees.
The hackers were allegedly required to sign a non-disclosure agreement about the data breach. This, prosecutors say, falsely claimed that the attackers had failed to access or steal company data.
Ultimately, it was revealed that the cybercriminals had accessed and downloaded an Uber database containing personally identifying information (PII) associated with millions of customers and employees. This database included driver licence numbers for some 600,000 Uber drivers.
“Silicon Valley is not the Wild West,” said US Attorney David Anderson. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush-money payments.”
Deputy Special Agent in Charge, Craig Fair, added that the case represents an “extreme example of a prolonged attempt to subvert law enforcement”.
“We hope companies stand up and take notice,” Fair said. “Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”
Bradford Williams, a spokesperson for Sullivan, insisted the former executive complied with company policy and acted lawfully.
“From the outset, Mr Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies,” he said.
“Those policies made clear that Uber’s legal department – and not Mr Sullivan or his group – was responsible for deciding whether, and to whom, the matter should be disclosed,” Williams added.
- Facebook’s algorithm is fuelling an ‘infodemic’ of health misinformation
- Marriott data breach triggers class-action lawsuit
- Apple valuation doubles this year to hit $2 trillion
Uber did not disclose details of the security breach until November 2017. The ride-hailing giant’s new CEO, Dara Khosrowshahi, revealed the breach had taken place shortly after joining the firm.
In September 2018, Uber agreed to pay $148 million to settle claims lodged by all 50 states and Washington DC. As part of the settlement, the company agreed to implement a new corporate ethics framework aimed at encouraging employees to report concerning behaviour.
Uber also agreed to reform its data security practices with the help of an independent third-party consultancy.
The two hackers responsible for the breach were prosecuted in California, with both pleading guilty on October 30th 2019 to computer fraud conspiracy charges. Both are now awaiting sentencing, with the complaint stating that they specifically targeted other technology companies following the Uber incident.