Uber’s former security chief has been charged with obstruction of justice for trying to hide a data breach from the Federal Trade Commission and Uber management, according to a statement from the Department of Justice.
Joseph Sullivan, who was Uber’s chief security officer from April 2015 to November 2017, allegedly concealed the hack that occurred in October 2016, which exposed confidential data of 57 million drivers and customers, including drivers’ license information. Uber paid the hackers $100,000 in bitcoin to delete the data, according to the Justice Department. (Sullivan was later fired.)
In addition to obstruction of justice, Sullivan is charged with misprision of a felony, meaning he knew of the breach and took steps to conceal it. If convicted, he faces up to five years in prison for the obstruction charge and up to three years for the misprision charge.
Sullivan’s spokesman Bradford Williams said in an email to The Verge that there was “no merit” to the charges against his client, noting Sullivan is “a respected cybersecurity expert and former Assistant U.S. Attorney.”
Williams says if not for Sullivan’s efforts and the efforts of Uber’s security team, “it’s likely that the individuals responsible for this incident never would have been identified at all.” He said Sullivan and his team “collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies. Those policies made clear that Uber’s legal department — and not Mr. Sullivan or his group — was responsible for deciding whether, and to whom, the matter should be disclosed.”
The hack occurred during an investigation into a 2014 breach, and Sullivan was helping authorities with that investigation when two hackers contacted him and demanded a six-figure payment to keep the hack quiet, the Justice Department says.
“Rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC,” according to the Justice Department.
According to the charges, Sullivan tried to pay the hackers via a bug bounty program, paying the $100,000 even though the company didn’t know who the hackers were. Sullivan tried to get the hackers to sign nondisclosure agreements, which stated that the hackers didn’t take or store any of the user and driver data.
In the criminal complaint, filed in the Northern District of California, the FBI details some of the steps Sullivan allegedly took once he realized drivers’ license information could have been involved in the hack. “At approximately 1:00am Pacific time on November 15, 2016, Sullivan reached out to Uber’s then-CEO [Travis Kalanick] via text message,” the complaint states, adding that call records show that Sullivan and Kalanick had a call that lasted about five minutes. “The CEO’s response reflects that the prospect of treating the incident under the bug bounty program was already being discussed,” the complaint states.
Once Uber staff identified the hackers, Sullivan had them sign new copies of the NDA agreements. Uber management discovered what was happening and disclosed the breach. According to the criminal complaint, the terms of Uber’s bug bounty program “did not authorize rewarding a hacker who had accessed and obtained personally identifiable information of users and drivers from Uber-controlled systems.”
Since November 2016, Uber has been cooperating with the government in the investigation, according to the Department of Justice statement.
“We continue to cooperate fully with the Department of Justice’s investigation,” an Uber spokesperson said in a statement emailed to The Verge on Thursday. “Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability.”
UPDATE August 20th, 4:21PM ET: Added statement from Uber spokesperson, Sullivan’s attorney, and details from the criminal complaint.