Mr. Sullivan was “visibly shocked” when he learned of the hack and told others he “could not believe they had left another burglar and that the team had to make sure the word of the burglary did not come out,” according to the court documents.
Currently, the Federal Trade Commission is investigating Uber in connection with a similar data breach that occurred two years earlier. But even though he was aware of the FTC investigation and spoke under oath with investigators, Mr Sullivan did not tell FTC officials about the 2016 hack, prosecutors said. He also kept information about the incident from Uber employees who were responsible for communicating with the FTC about the previous incident, according to court documents.
Uber tried to handle the incident quietly through its so-called bug-bounty program. Technology companies often pay fines to security researchers who discover flaws and report them in their software. But bugbounty experts questioned whether the payment Uber gave to hackers fell within the ethical limits of such programs, which are designed to induce people to report security flaws so that they can be repaired.
In October, Brandon Glover, a Florida resident, and Vasile Mereacre, a Canadian citizen, pleaded guilty to the hack. They could each serve a maximum of five years in federal prison and are expected to be sentenced next year.
Uber revealed the breach until 2017, after its former CEO, Travis Kalanick, was fired by investors and replaced by Dara Khosrowshahi, the current head of Uber.
Mr. Khosrowshahi fired Mr Sullivan and Uber’s legal director of security and law enforcement, Craig Clark, who had helped oversee the response to the security incident.
“We continue to fully cooperate with the Department of Justice’s investigation,” said Matt Kallman, an Uber spokesman. “Our decision in 2017 to disclose the incident was not only the right thing to do, it illustrates the principles by which we conduct our business today: transparency, integrity and accountability.”
