The former chief of Uber’s security was charged this week in connection with an alleged cover-up of a massive 2016 hack that exposed the personal information of some 57 million Uber users—a breach he tried his hardest to sweep under the rug.
According to a criminal complaint filed this week in the Northern California’s District Court, Joseph Sullivan told his security staff to keep details about the hack “tightly controlled,” which allegedly included lying about the scope of the breach to Uber’s incoming CEO Dara Khosrowshahi, who joined the company in 2017. The New York Times earlier reported the charges.
Not only did Sullivan instruct his security staff to withhold information about the hack and inform others “only on a need-to-know basis,” the complaint states, but the company also treated the hack as the kind of white hat hacking associated with its bug bounty program, opting to pay the hackers $100,000—a sum that far trumped anything Uber had ever paid for the discovery of technological vulnerabilities prior. Moreover, Sullivan issued a non-disclosure agreement to the involved hackers in exchange for the sum—which was, again, unusual for Uber—and intentionally concealed in that NDA the fact that any data had been swiped.
More problematic was that Sullivan at no time divulged information to the Federal Trade Commission during correspondence with the agency about issues unrelated to the 2016 breach, according to the complaint. He also allegedly “did not inform the Uber attorneys working on the FTC investigation—either in-house or outside counsel—that the breach had occurred.”
Mere months after Khosrowshahi joined the company, the breach was disclosed and Sullivan and another Uber employee in the company’s legal department were fired. The two individuals behind the Uber hack, Brandon Glover and Vasile Mereacre, pleaded guilty late last year.
“We continue to cooperate fully with the Department of Justice’s investigation,” an Uber spokesperson told Gizmodo by email on Friday. “Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability.”
“Concealing information about a felony from law enforcement is a crime,” Deputy Special Agent in Charge Craig D. Fair said in a statement. “While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”