(Bloomberg) -- Uber Technologies Inc.’s former chief security officer Joseph Sullivan was charged with covering up a 2016 data breach that compromised the personal information of 57 million drivers and users.
Rather than report the breach to the Federal Trade Commission, which was investigating an earlier hack at the company, Sullivan paid the hackers $100,000 in Bitcoin, according to a statement Thursday from U.S. Attorney David L. Anderson in San Francisco. Sullivan is charged with obstruction of justice and failing to report his knowledge of a felony.
“Silicon Valley is not the Wild West,” Anderson said in the statement. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush-money payments.”
A spokesperson for Sullivan said there’s no merit to the charges.
“This case centers on a data security investigation at Uber by a large, cross-functional team made up of some of the world’s foremost security experts, Mr. Sullivan included,” Bradford Williams said in an email. “If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all.”
Sullivan, 52, joined Uber in 2015. He started his career as a federal prosecutor in computer hacking and intellectual property law. He’s been a quiet fixture of Silicon Valley for more than a decade, with stints at PayPal and EBay Inc. before becoming the chief security officer at Facebook in 2008.
”We continue to cooperate fully with the Department of Justice’s investigation,” an Uber spokesperson said in a statement. “Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability.”
Although the circumstances of this case are unique, the underlying issue is not. Companies often hide hacks from the public for fear of the reputational damage. And in many cases, companies are not legally required to disclose even very serious hacks involving proprietary information or company secrets.
Under Sullivan’s direction, however, prosecutors say Uber attempted to hide a massive breach as a sort of favor the hackers did to the company by identifying a flaw in its computers networks. Following the breach, Uber paid the hackers $100,000 through a program used to reward security researchers for identifying vulnerabilities, known as a ‘bug bounty.’ In return, the hackers agreed not to disclose that they had stolen the data.
Prosecutors said that was at best a thinly veiled cover up. The payment to the hackers was unusually large for the bug bounty program, “which had a nominal cap of $10,000,” according to the complaint.
Sullivan was contacted by one of the hackers in November 2016, about 10 days after he had given testimony in an FTC inquiry about Uber’s cyber security related to an earlier 2014 data breach, according to the U.S. attorney’s statement. He didn’t disclose the new hack to the FTC. And Uber didn’t make it the public until the following year, after a new chief executive was installed at the company, replacing Uber co-founder Travis Kalanick, and Sullivan was fired.
The two hackers behind the 2016 breach pleaded guilty last year to computer fraud conspiracy charges. They both targeted and hacked other technology companies after Sullivan failed to alert law enforcement about the 2016 Uber hack, according to Anderson’s statement.
Williams said in his statement that Sullivan and his team collaborated closely with others at Uber and followed written policies.
“Those policies made clear that Uber’s legal department -- and not Mr. Sullivan or his group -- was responsible for deciding whether, and to whom, the matter should be disclosed,” according to the statement.
An FBI agent who investigated the incident said in a court filing that Kalanick’s response when Sullivan first informed him of the hack in a series of late-night conversations in November 2016 “reflects that the prospect of treating the incident under the bug bounty program was already being discussed.”
Kalanick wasn’t charged or accused of wrongdoing in the criminal complaint.
The case is U.S.A. v. Sullivan, 20-mj-71168, U.S. District Court, Northern District of California (San Francisco).