By Jack Morse
For ex-Uber exec Joe Sullivan, the cover-up wasn’t worse than the crime. It was the crime.
Or, at least so alleges the U.S. government in the United States District Court for the Northern District of California. Sullivan, who from 2015 to 2017 was Uber’s chief security officer, stands accused of helping to cover up the 2016 theft of both rider and driver personal data by a then 20-year-old Florida hacker.
At issue, notes the criminal summons, is what Sullivan apparently did after he learned of the hack. Instead of notifying the Federal Trade Commission that records belonging to 57 million customers and drivers had been stolen, Sullivan is said to have orchestrated — with the knowledge of then CEO Travis Kalanick — a plan to sweep the entire incident under the rug with the help of a $100,000 payment via bitcoin.
Sullivan stands accused of trying to make it look like the hacker, who accessed one of Uber’s Amazon S3 buckets, was actually a lawful and totally cool participant in the company’s bug bounty program. Now, real hackers do in fact work to find security vulnerabilities at companies like Uber, but to do so in an unambiguously legal way they play by a certain set of rules. The Uber hacker, unambiguously, did not.
This entire situation, as you might imagine, hasn’t gone over too well with law enforcement. Sullivan faces up to eight years in prison and fines of up to $500,000 as a result. Specifically, he’s charged with one count of obstruction of justice, and one count of misprision (or concealment) of a felony.
“Sullivan engaged in a scheme to withhold and conceal from the FTC both the hack itself and the fact that the data breach had resulted in the hackers obtaining millions of records associated with Uber’s users and drivers,” reads the complaint. “When Uber brought in a new CEO [Dara Khosrowshahi] in 2017, Sullivan lied to him about the circumstances surrounding that data breach.”
Text messages from 2016, reproduced in the complaint, show Kalanick in conversation with Sullivan discussing the best way to handle the data breach.
“Need to get certainty of what he [the hacker] has, sensitivity/exposure of it and confidence that he can truly treat this as a [bug] bounty situation,” texted the CEO, “resources can be flexible in order to put this to bed but we need to document this very tightly.”
It is that tight documentation that Sullivan clearly hopes will save him.
“If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all,” insisted Sullivan’s spokesperson to the New York Times. “Uber’s legal department — and not Mr. Sullivan or his group — was responsible for deciding whether, and to whom, the matter should be disclosed.”