This week, the former chief of security at Uber, Joseph Sullivan, found himself facing charges in connection with an alleged cover-up of a major hack that occurred in 2016. This breach exposed the personal data of approximately 57 million Uber users. Sullivan went to great lengths to hide the breach and keep it under wraps.
A criminal complaint filed in Northern California’s District Court revealed that Sullivan had instructed his security team to tightly control information about the hack, going as far as lying to Uber’s incoming CEO, Dara Khosrowshahi, about the true extent of the breach. Khosrowshahi joined Uber in 2017, and the charges against Sullivan were previously reported by The New York Times.
It wasn’t just a matter of not releasing information regarding the hack; Sullivan actively ensured that knowledge of the breach was kept on a need-to-know basis. Moreover, Uber treated the hack as a white hat hacking incident, part of the company’s bug bounty program, and Sullivan even suggested paying the hackers a whopping $100,000. This amount far exceeded any previous payments made by Uber for discovering vulnerabilities in its technology.
To make matters worse, Sullivan made non-disclosure agreements with the hackers involved, offering the unusually high payment of $100,000. He deliberately concealed information about the compromised data within these agreements.
According to the complaint, Sullivan never disclosed any information about the breach to the Federal Trade Commission during discussions about unrelated matters in 2016. He also failed to inform Uber’s in-house and outside counsel working on an FTC investigation about the breach.
Just months after Khosrowshahi took charge at Uber, news of the breach became public, resulting in the termination of Sullivan and another employee in the company’s legal department. The two individuals responsible for carrying out the hack, Vasile Mereacre and Brandon Glover, had already pleaded guilty in court late last year, as reported by The New York Times.
“We continue to cooperate fully with the Department of Justice’s investigation. Our decision in 2017 to disclose the incident was not only the right thing to do, but it also embodies the principles by which we are running our business today: transparency, integrity, and accountability,” stated an Uber spokesperson.
Deputy Special Agent in Charge, Craig D. Fair, commented on the situation, saying, “Concealing information about a felony from law enforcement is a crime. While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”