Former Uber Chief Security Officer Joseph Sullivan has been charged with obstruction of justice and concealment of a felony for his role in the attempted coverup of a 2016 hack that exposed the data of 57 million Uber customers and drivers, the Department of Justice announced Thursday.
The criminal complaint alleges that Sullivan deliberately attempted to “conceal, deflect and mislead” the Federal Trade Commission about the hack, which contained names, email addresses and phone numbers for customers around the world as well as drivers’ license numbers for around 600,000 drivers.
“Silicon Valley is not the Wild West,” U.S. Attorney David Anderson said in a statement. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”
Sullivan first learned of the hack in November 2016, Anderson said, but rather than report it, he paid off the hackers — who had not revealed their true names at the time — by funneling them $100,000 through a “bug bounty” program designed to pay “white hat” hackers who point out security flaws but don’t compromise data. According to the criminal complaint, he also sought to have the hackers sign non-disclosure agreements that falsely claimed the hackers had not obtained any data.
The complaint also alleges that Sullivan misled Uber’s new management team about the nature of the hack, removing details about the data stolen and claiming that payments were made only once Uber was aware of the identity of the hackers.
Uber Chief Executive Officer Dara Khosrowshahi, who was appointed in August 2017, fired Sullivan and publicly disclosed the breach in November 2017.
If Sullivan is convicted, he faces a maximum statutory penalty of five years in prison for the obstruction charge and a maximum of three years in prison for the concealment charge, formally known as misprision.
