The former chief security officer of Uber has been accused of leading a premeditated attempt to cover up a 2016 hack that exposed the personal information of 57 million app users and drivers, the Department of Justice announced Thursday. Joseph Sullivan is accused of obstructing justice and misjudgment of a crime, which refers to concealing knowledge of a crime from law enforcement officials.
The complaint alleges that on November 14, 2016 – 10 days after Sullivan testified before the Federal Trade Commission about an earlier data breach – a hacker told Sullivan that he could have broken the company’s system. But instead of reporting it to the commission, as he is legally required to do, Sullivan “apparently took deliberate steps to prevent knowledge of the breach from reaching the FTC.”
“Witnesses said Sullivan was visibly shaken by the incident,” the complaint said. “A witness also reported that Sullivan stated in a private interview that he could not believe they had left another burglar and that the team had to make sure the word of the burglary did not come out.”
The complaint accuses Sullivan of the two hackers pay $ 100,000 in bitcoin through a bug bounty program – a legal program designed to reward those who point out a company’s security flaws – even though the hackers had stolen data, which violates the terms and conditions of the program. It also claims that Sullivan tried to get the hackers to sign non-disclosure agreements stating that they did not steal or store data, even though both he and the hackers knew this was false.
After Uber came under new management in 2017, executives discovered the intrusion and disclosed it to the FTC, according to the complaint.
In response to the allegations, Uber told CBS News that “We continue to cooperate fully with the Justice Department’s investigation. Our decision in 2017 to disclose the incident was not only the right thing to do, it illustrates the principles by which we run our business today: transparency, integrity and accountability. “
The complaint also alleges that Sullivan abused the company after it discovered the infringement by failing to provide crucial details about the hack. In preparing a brief for the new CEO, Sullivan apparently modified his team’s concept to remove details about what the hackers had stolen and incorrectly stated that the hackers were only paid after they were identified.
Sullivan was eventually fired, the complaint states.
The two hackers responsible for the burglary pleaded guilty on October 30, 2019. The complaint states that “both [hackers] chose to target other technology companies and their users’ data and successfully hack “after Sullivan authorities did not warn of the Uber hack.
“Silicon Valley is not the Wild West,” U.S. Attorney David Anderson said in a statement from the Department of Justice. “We expect good entrepreneurship from companies. We expect rapid reporting on criminal behavior. We expect cooperation with our investigations. We will not tolerate business coverage. We will not tolerate illegal payments for impressive money.”
A Sullivan spokesman told CBS News that “there is no merit to the charges”, adding, “If not for the efforts of Mr Sullivan and his team, it is likely that the persons responsible for this incident were never identified. . ”
The spokesman also claimed that Sullivan “worked closely with legal, communications and other relevant teams at Uber,” and that the company’s legal department was “responsible for deciding whether, and to whom, the matter should be disclosed.”
If convicted, Sullivan would face a maximum of five years in prison for the obstruction charge and three years for the misdemeanor offense.
.
