The U.S. Department of Justice has charged Uber’s former chief security officer with obstruction of justice for covering up a hack of the ride-hailing service’s computer system in 2016 and exposing the personal data of millions of users of the service and its drivers.
According to the complaint filed in federal court in San Francisco, between April 2015 and November 2017, Joseph Sullivan, 52, of Palo Alto, California, served as Uber’s Chief Security Officer.
During this time, two hackers contacted Sullivan by email and demanded a six-figure payment in exchange for silence. The hackers ultimately revealed that they had accessed and downloaded an Uber database containing personally identifying information, or PII, associated with approximately 57 million Uber users and drivers.
The database included the drivers’ license numbers for approximately 600,000 people who drove for Uber. The criminal complaint alleges that Sullivan took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission, or FTC, about the breach.
The criminal complaint makes clear that “both [hackers] chose to target and successfully hack other technology companies and their users’ data” after Sullivan failed to bring the Uber data breach to the attention of federal authorities. Instead he arranged to pay the hackers at least $100,000.
“Silicon Valley is not the Wild West,” said U.S. Attorney for the Northern District of California David Anderson.
“We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments,” Anderson said in statement.
The complaint describes how Sullivan played a pivotal role in responding to FTC inquiries about Uber’s cyber security. Uber had been hacked in September of 2014 and the FTC was gathering information about that 2014 breach.
The FTC demanded responses to written questions and required Uber to designate an officer to provide testimony under oath on a variety of topics. Sullivan assisted in the preparation of Uber’s responses to the written questions and was designated to provide sworn testimony on a variety of issues. On Nov. 14, 2016, approximately 10 days after providing his testimony to the FTC, Sullivan received an email from a hacker informing him that Uber had been breached again. Sullivan’s team was able to confirm the breach within 24 hours of his receipt of the email.
Rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC. For example, Sullivan sought to pay the hackers off by funneling the payoff through a bug bounty program — a program in which a third-party intermediary arranges payment to so-called “white hat” hackers who point out security issues but have not actually compromised data.
Uber paid the hackers $100,000 in Bitcoin in December 2016, despite the fact the hackers refused to provide their true names. In addition, Sullivan sought to have the hackers sign non-disclosure agreements.
The agreements contained a false representation that the hackers did not take or store any data. When an Uber employee asked Sullivan about this false promise, Sullivan insisted that the language stay in the non-disclosure agreements. Moreover, after Uber personnel were able to identify two of the individuals responsible for the breach, Sullivan arranged for the hackers to sign fresh copies of the non-disclosure agreements in their true names.
The new agreements retained the false condition that no data had been obtained. Uber’s new management ultimately discovered the truth and disclosed the breach publicly, and to the FTC, in November 2017. Since that time, Uber has responded to additional government inquiries.
The criminal complaint also alleges Sullivan deceived Uber’s new management team about the 2016 breach. Specifically, Sullivan failed to provide the new management team with critical details about the breach. In August 2017, Uber named a new Chief Executive Officer. In September 2017, Sullivan briefed Uber’s new CEO about the 2016 incident by email.
Sullivan asked his team to prepare a summary of the incident, but after he received their draft summary, he edited it. His edits removed details about the data that the hackers had taken and falsely stated that payment had been made only after the hackers had been identified.
The two hackers identified by Uber were prosecuted in the Northern District of California. Both pleaded guilty on Oct. 30, 2019, to computer fraud conspiracy charges and now await sentencing.