The US prosecutors have charged a former Uber chief security officer for trying to hide a data breach from federal investigators. The United States Department of Justice charged Joseph Sullivan with “obstruction of justice and misprision of a felony.”
The criminal charges filed in US District Court in San Francisco accuse Sullivan, 52, of taking deliberate steps to keep the Federal Trade Commission (FTC) as well as Uber management from learning about the breach.
The case relates to a 2016 data breach that had exposed the personal information of about 57 million Uber drivers and riders. Hackers got access to information including license numbers of around 600,000 people who drove for the ride-hailing giant.
Sullivan, who led Uber’s security team during that time, tried to hide the breach from the FTC when the agency was investigating the company following an earlier breach. Instead of reporting the breach to the FTC, he sought to pay off the hackers in exchange for silence.
He wanted to funnel the payoff through a bug bounty program. Such programs reward security researchers or the so-called ‘white-hat’ hackers for reporting security flaws without doing any harm.
Uber eventually paid the hackers $100,000 in BitCoin in December 2016. Sullivan also sought to have the hackers sign non-disclosure agreements, despite them not revealing their identity. Moreover, the agreements contained a false representation that the hackers did not steal any data.
The company was later able to identify two people responsible for the breach. Upon their identification, Sullivan again tried to have them sign the same non-disclosure agreement.
He also kept the details hidden from Uber’s management. However, the company ultimately discovered all of Sullivan’s wrongdoings and disclosed the breach publicly as well as to the FTC in November 2017. He was later fired by the company.
The former Uber security chief faces up to eight years in prison
A former federal prosecutor himself, Joseph Sullivan was the chief security officer for Uber from April 2015 to November 2017. The case against him is reportedly the first time a corporate security officer has been charged with concealing a breach.
“Silicon Valley is not the Wild West. We expect good corporate citizenship. We expect prompt reporting of criminal conduct, said US Attorney David L. Anderson. “We expect cooperation with our investigations. We will not tolerate corporate cover-ups,” he added.
An A spokesperson for Sullivan, meanwhile, has denied the charges saying they had no merit. Sullivan worked with his colleagues on the case and that they decided the disclosure matters collectively, the spokesperson suggested.
A former chief of security at Facebook, Sullivan currently holds the same position at Cloudflare. He faces up to five years in prison for obstruction of justice and up to three years for misprision of a felony if convicted of the charges.