Joe Sullivan the former chief security officer of Uber, was charged by the federal prosecutors in the United States for covering up a huge data breach which the company suffered in 2016.
The U.S. Department of Justice published a press release according to which Sullivan took deliberate steps to conceal, deflect and mislead the Federal Trade Commission about the breach which also included paying hackers $100,000 ransom to keep the incident secret.
Joseph Sullivan was charged for obstruction of justice and misprision of a felony in connection with the attempted cover-up of the 2016 hack of Uber Technologies.
In the 2016 data breach, the names, email addresses and phone numbers of 57 million Uber riders and drivers, and driver license numbers of around 600,000 drivers were exposed.
The data breach was revealed to the public by Uber almost a year later when Sullivan left his job at Uber in November.
It was reported that two hackers, Brandon Charles Glover of Florida and Vasile Mereacre of Toronto, were responsible for the hack to whom Sullivan approved paying money in exchange for promises to delete data of customers they had stolen.
In 2016 Sullivan, as a representative for Uber, was responding to FTC inquiries regarding a previous data breach incident that occurred in 2014. It was at the same time, Brandon and Vasile contacted him regarding the new data breach.
As per the court documents, the two hackers contacted Sullivan via email, stating that they found a major vulnerability and provided a sample of the stolen data. They also requested a $100,000 payment in bitcoin to reveal the company’s security hole.
Sullivan’s team confirmed the breach within 24 hours of receiving the email. But instead of reporting the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC.
Uber paid the hackers $100,000 in Bitcoin in December 2016 through a bug bounty program, and Sullivan also made the hackers sign non-disclosure agreements. The agreements contained a false representation that the hackers did not take or store any data.
When the Uber security team identified the two hackers responsible for the breach, Sullivan made them sign fresh copies of the non-disclosure agreements in their true names. The new agreements retained the false condition that no data had been obtained.
Uber’s new management discovered the truth and disclosed the breach publicly, and to the FTC, in November 2017.
Both hackers pleaded guilty to several counts of charges for hacking and blackmailing Uber, LinkedIn, and other U.S. corporations last year.
If Sullivan is found guilty of cover-up charges, he might face up to eight years in prison, and also potential fines of up to $500,000.