US Department of Justice accuses former employee of attempting to conceal hack
The former chief security officer (CSO) at Uber has been charged with trying to cover up the 2016 hack against the ride-sharing company that exposed millions of users’ personal data.
Joseph Sullivan, 52, is accused of obstruction of justice and misprision of a felony in connection with the incident, which impacted an estimated 57 million individuals.
The US Department of Justice (DoJ) said that between April 2015 and November 2017, Sullivan, of Palo Alto, California, served as the ride-sharing technology company’s CSO.
During this time, two malicious hackers contacted Sullivan and demanded a six-figure payment in exchange for his silence, a DoJ press release claims.
The threat actors accessed and downloaded an Uber database containing personally identifiable information belonging to Uber customers and drivers.
Data included the drivers’ license numbers of approximately 60,000 drivers.
A criminal complaint filed yesterday (August 20) alleges that Sullivan took deliberate steps to conceal, deflect, and mislead the US Federal Trade Commission (FTC) about the breach.
“Silicon Valley is not the Wild West,” said US Attorney David Anderson. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct.
“We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”
The compliant details how Sullivan played a “pivotal role” in responding to the FTC’s inquiries about cybersecurity after an earlier hack that took place in 2014.
Sullivan assisted in responding to the FTC’s questions and was designated to provide sworn testimony “on a variety of issues”, says the DoJ.
However, approximately 10 days after giving testimony to the FTC, in November 2016, Sullivan is said to have received an email from a hacker informing him that Uber had been breached again.
Rather than report the incident, however, Sullivan allegedly took steps to prevent the FTC from learning of the breach.
Breach or bug bounty?
The DoJ statement reads: “Sullivan sought to pay the hackers off by funneling the payoff through a bug bounty program.
“Uber paid the hackers $100,000 in bitcoin in December 2016, despite the fact that the hackers refused to provide their true names. In addition, Sullivan sought to have the hackers sign non-disclosure agreements.
“The agreements contained a false representation that the hackers did not take or store any data.”
It added: “Moreover, after Uber personnel were able to identify two of the individuals responsible for the breach, Sullivan arranged for the hackers to sign fresh copies of the non-disclosure agreements in their true names. The new agreements retained the false condition that no data had been obtained.”
If found guilty, Sullivan faces a maximum five years’ imprisonment for the charge of obstruction of justice, and three years for the misprision charge.
An initial federal court date has not yet been set.
The two hackers identified by Uber both pleaded guilty to computer fraud conspiracy charges on October 30, 2019, and now await sentencing.