Former Uber CSO criminally charged with covering up 2016 data breach

Written by

U.S. prosecutors have charged the former Chief Security Officer at Uber with allegedly covering up a data breach at the ride-hailing company that exposed information tied to roughly 57 million people.

Joe Sullivan was charged Thursday in the U.S. District Court in San Francisco with failing to disclose details of the security incident to the proper authorities. Sullivan, who now works as the chief information security officer at Cloudflare, allegedly committed two felonies by not informing investigators about the hack while they probed the circumstances surrounding a prior data breach.

Sullivan was charged with obstruction of justice and misprision of a felony. The maximum sentence if convicted on both charges is eight years in prison.

The complaint pertains to a 2016 incident in which two hackers contacted Uber via email to report that they had accessed personal information about 57 million Uber users and drivers, including driver’s license numbers. The hack came at the same time that the U.S. Federal Trade Commission already was investigating Uber for an unrelated breach that occurred in 2014.

Instead of informing the FTC about the 2016 breach, the U.S. Department of Justice said in a complaint, Sullivan conspired to pay the hackers $100,000 to sign non-disclosure agreements in their true names, and failed to report the incident to the FTC. The NDAs claimed the payment was part of Uber’s bug bounty program, even though the company’s program included no reward for such an event. Furthermore, the NDAs included a claim that the attackers had not stolen data from Uber, a claim Sullivan and the hackers both knew to be false, prosecutors said.

According to the complaint, witnesses reported that Sullivan was “visibly shaken” by the breach, and that he “stated in a private conversation that he could not believe they had let another breach happen” and that security personnel were to discuss the hack “only on a need-to-know basis.”

Sullivan could not immediately be reached for comment.

During the FTC investigation, Sullivan participated in conference calls with FTC attorneys, sat for sworn testimony in Washington, D.C., reviewed Uber submissions to the FTC and was “intimately familiar” with the scope of the probe, all while failing to disclose the 2016 breach, according to the complaint.

“We expect good corporate citizenship,” U.S. Attorney David Anderson said in a statement Thursday. “We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”

Sullivan ultimately was fired from his position in 2017 when Uber’s current CEO, Dara Khosrowshahi, took over control of the company from Travis Kalanick. Kalanick was the only other member of the Uber executive team who knew about the 2016 data breach at the time of the payment, the Justice Department complaint stated.

The two hackers behind the breach, Brandon Glover, of Florida, and Vasile Mereacre, of Canada, pleaded guilty to their role in the incident in October.

Uber ultimately paid $148 million in 2018 as part of a settlement to resolve investigations into the matter.

The complaint against Sullivan is available in full below.