Former Uber security chief is charged with obstructing justice after ‘paying hackers $100,000 to cover up data breach’ that exposed email and phone numbers of 57m drivers and passengers
- Joe Sullivan has been charged with obstructing justice and concealing a felony
- The former Uber chief security officer is accused of paying two hackers $100,000 in exchange for their silence on a 2016 data breach
- Hackers had gained access to an Uber database containing the drivers’ license numbers for approximately 600,000 people who drove for Uber
- Federal prosecutors said Sullivan, 52, took ‘deliberate steps to conceal’ the hack from the FTC and his own colleagues
Uber’s former chief security officer Joe Sullivan (pictured) was charged with obstructing justice and concealing a felony on Thursday
Uber’s former chief security officer has been charged with allegedly trying to cover up a data breach that exposed the email and phone numbers of 57 million drivers and passengers.
Federal prosecutors on Thursday charged Joe Sullivan, 52, with obstructing justice and concealing a felony in connection to the 2016 hack.
Sullivan, who served as the company’s security officer from 2015 to 2017, is accused of taking ‘deliberate steps to conceal, deflect, and mislead’ the Federal Trade Commission, as well as his own colleagues, about the breach.
According to a criminal complaint filed in a California federal court, Sullivan had funneled hackers $100,000 in Bitcoin in December 2016 in exchange for their silence before making them sign a non-disclosure agreement.
The cyber attack had come to light on November 14 that year – just 10 days after Sullivan testified in an FTC investigation into an Uber hack in September 2014.
Prosecutors said two hackers, identified last year as Brandon Glover, 26, and Vasile Mereacre, 23, demanded the six-figure sum after emailing Sullivan informing him of the breach.
Sullivan is accused of trying to cover up a data breach in 2016 that exposed the email and phone numbers of 57m drivers and passengers
U.S. Attorney David Anderson announced the charges against Sullivan on Thursday
They told the executive they had accessed and downloaded an Uber database containing personally identifying information of 57 million users.
The database also included the driver’s license numbers for approximately 600,000 people who drove for Uber, according to prosecutors.
‘Rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC,’ prosecutors said.
Sullivan allegedly paid them off using a bug bounty program, in which a third party intermediary arranges payment to ‘white hat’ hackers who point out security issues but have not actually compromised data.
Prosecutors claim Sullivan sent the money over despite the fact that the hackers refused to provide their true names.
The agreements falsely claimed the hackers had not taken or stored any of the data.
When the company finally identified the perpetrators Sullivan allegedly made the two men sign new NDAs with their real name and retained the false line that they did not store any information in the hack.
‘Silicon Valley is not the Wild West,’ U.S. Attorney David L Anderson after announcing the charges on Thursday.
‘We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.’
This story will be updated. More to come.