The former Uber security chief has been accused of obstructing justice for trying to hide a data breach from the Federal Trade Commission and Uber management, according to a statement from the Department of Justice.
Joseph Sullivan, who was Uber’s chief security officer from April 2015 to November 2017, suspected the hack that occurred in October 2016, which revealed confidential data from 57 million drivers and customers, including driving license information. Uber paid the hackers $ 100,000 in bitcoin to delete the data, according to the Justice Department. (Sullivan was later fired.)
In addition to obstruction of justice, Sullivan is accused of mishandling a crime, which means he knew of the burglary and took steps to conceal it. If convicted, he faces up to five years in prison for the obstruction charge and up to three years for the misdemeanor offense.
Sullivan’s spokesman Bradford Williams said in an email to The Verge that there was “no merit” for the plaintiffs against his client, noting that Sullivan is “a respected cybersecurity expert and former assistant U.S. attorney.”
Williams says if not for Sullivan’s efforts and the efforts of Uber’s security team, “it is likely that the individuals responsible for this incident would never have been identified.” He said Sullivan and his team ‘work closely with legal, communications and other relevant teams at Uber, in line with the company’s written policies. That policy made it clear that Uber’s legal department – and not Mr Sullivan as his group – was responsible for deciding whether, and to whom, the case should be disclosed. “
The hack happened during an investigation into a burglary in 2014, and Sullivan helped authorities with that investigation when two hackers contacted him and demanded a payment of six figures to keep the hack quiet, the Justice Department says.
“Prior to reporting the 2016 violation, Sullivan apparently took deliberate steps to prevent knowledge of the infringement from reaching the FTC,” according to the Justice Department.
According to the allegations, Sullivan tried to pay the hackers through a bug-bounty program, paying the $ 100,000, although the company did not know who the hackers were. Sullivan tried to get the hackers to sign non-disclosure agreements, which stated that the hackers did not take or store any data of the user and driver.
In the criminal complaint, filed in the Northern District of California, the FBI describes some of the steps Sullivan allegedly took when he realized that information about driver’s licenses could have been hacked. “Around 3pm across the Pacific Ocean on November 15, 2016, Sullivan came out to the then CEO of Uber [Travis Kalanick] via text message, ”the complaint states, adding that call data show that Sullivan and Kalanick had a conversation that lasted about five minutes. “The CEO’s response reflects that the prospect of handling the incident under the bug bounty program has already been discussed,” the complaint states.
When Uber staff identified the hackers, Sullivan had them sign new copies of the NDA agreements. Uber management discovered what happened and revealed the breach. According to the criminal complaint, the terms of Uber’s bugbounty program “did not authorize a hacker who had access to and received personally identifiable information from users and drivers of Uber-controlled systems.”
Since November 2016, Uber has been collaborating with the government in the investigation, according to a statement from the Justice Department.
“We continue to cooperate fully with the Department of Justice’s investigation,” an Uber spokesman said in a statement emailed to The edge on Thursday. “Our decision in 2017 to disclose the incident was not only the right thing to do, it illustrates the principles by which we conduct our business today: transparency, integrity and accountability.”
UPDATE August 20, 16:21 ET: Addition added by Uber spokesman, Sullivan’s lawyer, and details of the criminal complaint.
