The federal prosecutors in the United States have charged Uber’s former chief security officer, Joe Sullivan, for covering up a massive data breach that the ride-hailing company suffered in 2016.
According to the press release published by the U.S. Department of Justice, Sullivan “took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the breach” that also involved paying hackers $100,000 ransom to keep the incident secret.
“A criminal complaint was filed today in federal court charging Joseph Sullivan with obstruction of justice and misprision of a felony in connection with the attempted cover-up of the 2016 hack of Uber Technologies,” it says.
The 2016 Uber’s data breach exposed names, email addresses, phone numbers of 57 million Uber riders and drivers, and driver license numbers of around 600,000 drivers.
The company revealed this information to the public almost a year later in 2017, immediately after Sullivan left his job at Uber in November.
Later it was reported that two hackers, Brandon Charles Glover of Florida and Vasile Mereacre of Toronto, were behind the incident to whom Sullivan approved paying money in exchange for promises to delete data of customers they had stolen.
All this started when Sullivan, as a representative for Uber, in 2016 was responding to FTC inquiries regarding a previous data breach incident in 2014, and during the same time, Brandon and Vasile contacted him regarding the new data breach.
“On November 14, 2016, approximately 10 days after providing his testimony to the FTC, Sullivan received an email from a hacker informing him that Uber had been breached again.”
“Sullivan’s team was able to confirm the breach within 24 hours of his receipt of the email. Rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC.”
According to court documents, the ransom amount was paid through a bug bounty program in an attempt to document the blackmailing payment as bounty for white-hat hackers who point out security issues but have not compromised data.
“Uber paid the hackers $100,000 in BitCoin in December 2016, despite the fact that the hackers refused to provide their true names (at that time),” federal prosecutors said. “In addition, Sullivan sought to have the hackers sign non-disclosure agreements. The agreements contained a false representation that the hackers did not take or store any data.”
“Moreover, after Uber personnel were able to identify two of the individuals responsible for the breach, Sullivan arranged for the hackers to sign fresh copies of the non-disclosure agreements in their true names. The new agreements retained the false condition that no data had been obtained. Uber’s new management ultimately discovered the truth and disclosed the breach publicly, and to the FTC, in November 2017.”
Just last year, both hackers were pleaded guilty to several counts of charges for hacking and blackmailing Uber, , and other U.S. corporations.
In 2018, British and Dutch data protection regulators also fined Uber with $1.1 million for failing to protect its customers’ personal information during a 2016 cyber attack.
Now, if Sullivan found guilty of cover-up charges, he could face up to eight years in prison, as well as potential fines of up to $500,000.