The Department of Justice has indicted Uber’s former head of security for allegedly covering up a data breach that affected more than 50 million people. While Uber and its then-chief security officer learned about the hack in 2016, the company didn’t publicly disclose it until a year later, prosecutors said.
Officials said the alleged cover-up came directly from Joe Sullivan, who served as Uber’s security chief from April 2015 to November 2017. In October 2016, Uber suffered a data breach. Two hackers, Brandon Charles Glover and Vasile Mereacre, were convicted in October 2019, and were also behind cyberattacks against the online learning website Lynda.
For more like this
Subscribe to the CNET Now newsletter for our editors’ picks of the most important stories of the day.
The hackers stole data on 57 million drivers and riders — including names, email addresses and driver’s license numbers — and agreed to delete it for a price.
Rather than publicly disclosing the hack, which companies are required to do within a certain number of days in states like California, Uber paid the hackers $100,000 and had them sign a nondisclosure agreement.
Sullivan described the payment as a bug bounty reward, which companies often pay out to researchers who discover security flaws. Prosecutors said the payment was more of a cover-up than a bounty reward.
“While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice,” FBI deputy special agent in charge Craig Fair said in a statement. “Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”
The hack only became public knowledge after a full year, when former Uber CEO Travis Kalanick was forced out and replaced by Dara Khosrowshahi. Sullivan had briefed the new CEO about the cyberattack, but edited out details about what data the hackers obtained and when the company paid the hackers.
The company fired Sullivan after the public disclosure, and paid $148 million in a settlement over the data breach.
Sullivan has been charged with obstruction of justice and faces a maximum of five years in prison. He is currently the chief security officer of Cloudflare.
“This case centers on a data security investigation at Uber by a large, cross-functional team made up of some of the world’s foremost security experts, Mr. Sullivan included,” Sullivan’s spokesman Bradford Williams said in a statement. “If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all. From the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies. Those policies made clear that Uber’s legal department — and not Mr. Sullivan or his group — was responsible for deciding whether, and to whom, the matter should be disclosed.”
In private conversations, Sullivan told Uber’s security team it needed to “make sure word of the breach did not get out,” according to court documents. The data breach also remained hidden from the Federal Trade Commission, which was already investigating Uber over a data breach in 2014.
“We continue to cooperate fully with the Department of Justice’s investigation,” Uber said in a statement. “Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability.”
The bug bounty payment to Uber’s hackers stood out from how the company usually rewarded security researchers. For starters, Uber’s bug bounty program had a cap of $10,000, and never paid anything close to $100,000, according to court documents.
Also, no bug bounty rewards with Uber ever came with a nondisclosure agreement like the ones created for the two hackers. The company’s own bug bounty policy also specified that the company wouldn’t pay out for data dumps from its servers.
“Silicon Valley is not the Wild West,” said US Attorney David Anderson. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups.”