US charges former Uber security chief with covering up massive 2016 hack

The incident exposed personal information of 57 million of the company's customers and drivers

Uber signs are seen August 20, 2020 at Los Angeles International Airport in Los Angeles, California. Rideshare service rivals Uber and Lyft were given a temporary reprieve on August 20 from having to reclassify drivers as employees in their home state of California by August 21. / AFP / Robyn Beck
Powered by automated translation

In an unprecedented case, a former chief security officer for Uber Technologies was criminally charged on Thursday with trying to cover up a 2016 hacking that exposed personal information of about 57 million of the ride-hailing company's customers and drivers.

The US Department of Justice charged Joseph Sullivan, 52, with felony obstruction of justice, saying he took "deliberate steps" to keep the Federal Trade Commission from learning about the hack while the agency was monitoring Uber security in the wake of an earlier breach.

The case was believed to be first time a corporate information security officer has been charged with concealing a hack.

Mr Sullivan, himself a former federal prosecutor, arranged to pay the hackers $100,000 (Dh367,000) under Uber’s programme for rewarding security researchers who report flaws. That amount was by far the most Uber had paid through the bounty programme, which was not meant to cover theft of sensitive data.

A former chief of security at Facebook, Mr Sullivan now works as chief information security officer at Cloudflare .

In past interviews, security staff said the Uber payout was intended to force the hackers into the open to accept the money and to ensure that the data, especially drivers’ license information on Uber contractors, was destroyed.

The complaint said Mr Sullivan had the hackers sign non-disclosure agreements that falsely stated they had not stolen data. It alleged that then-chief executive Travis Kalanick was aware of Mr Sullivan’s actions.

A spokeswoman for Mr Kalanick declined to comment.

A spokesman for Mr Sullivan said that the charges had no merit, that Mr Sullivan had worked with his colleagues on the case and that disclosure matters were decided by the legal department.

“If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all,” said spokesman Brad Williams.

Mr Kalanick’s successor Dara Khosrowshahi disclosed the payoff, then fired Mr Sullivan and a deputy after learning the extent of the breach.

The Uber case will resonate for the increasing number of companies that deal directly with hackers.

Many have bounty programmes like Uber’s, which are generally seen as a tool to improve security and provide an incentive for hackers to stay within the law. But some participants do not play by the rules.

In the Uber case, the FBI noted, the two main hackers went on to attack other companies, which the agency said could have been averted if Mr Sullivan had gone first to law enforcement. Both have pleaded guilty and are awaiting sentencing.