SAN FRANCISCO (CBS SF) – A former chief security officer for Uber was charged Thursday in federal court in San Francisco with trying to cover up a 2016 hack involving 57 million users and drivers, federal prosecutors said.
Joseph Sullivan, 52, of Palo Alto, was charged with obstruction of justice and misprision of, or concealing, a felony in the breach, which affected personal information such as driver’s license numbers for drivers, according to prosecutors.
While Sullivan worked as chief of security for Uber between April 2015 and November 2017, prosecutors allege that two hackers emailed him demanding a six-figure sum to keep him quiet.
“Silicon Valley is not the Wild West,” U.S. Attorney David Anderson said. “We expect good corporate citizenship. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”
Anderson alleged in a statement on YouTube that Sullivan had Uber pay the hackers $100,000 in bitcoin in return for promising to tell no one about the hack. Sullivan faces a maximum sentence of 8 years in prison.
Anderson also alleged that Sullivan covered up the hack by disguising the payment as a bug bounty, which allows companies to compensate hackers who expose a security breach and do not take advantage of it.
“It is not a bug bounty to pay a hacker who has taken your data and is threatening to expose it,” Anderson said.
Both the size of the payment and the fact that Sullivan made it before knowing the true names of the hackers also show that this was not a bug bounty, Anderson said.
Uber publicly disclosed the hack in November 2017. The hackers pleaded guilty last year and admitted to hacking other companies in similar ways, Anderson said. If Sullivan had promptly reported the hack at Uber, the others may have been prevented, he said.
After Uber was hacked in 2014, prosecutors said, Sullivan played an important role in Uber’s responses to Federal Trade Commission inquiries into cybersecurity at Uber.
They said Uber designated Sullivan to help prepare written responses and provide testimony. Just 10 days later, in November 2016, he learned – by email from the hacker – that Uber was the victim of another breach, prosecutors said.
Sullivan’s team confirmed the hack within 24 hours after receiving the email from the hackers, prosecutors said, but they allege he then tried to get the hackers to sign non-disclosure agreements falsely stating that they did not take any data.
After the company discovered the identities of two of the hackers, Sullivan allegedly arranged for them to sign the same non-disclosure agreements but with their real names.
Prosecutors also allege that, when Uber ushered in new management in August 2017 after founder Travis Kalanick stepped down as CEO, Sullivan tried to conceal the whole affair.
Attempts to reach Sullivan or his spokesperson were unsuccessful.
“We continue to cooperate fully with the Department of Justice’s investigation,” an Uber spokesperson said late Thursday by email. “Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity and accountability.”
© Copyright 2020 CBS Broadcasting Inc. and Bay City News Service. All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed.