SAN FRANCISCO, Aug 21, 2020 (BSS/AFP) – US prosecutors on Thursday charged
Uber’s former security chief with covering up a hack that compromised the
personal information of 57 million users and drivers.
A criminal complaint accused Joseph Sullivan of trying to hide the hack
from the Federal Trade Commission.
He faces a maximum sentence of eight years in prison if convicted of
charges of obstructing justice and concealing a felony crime.
“Silicon Valley is not the Wild West,” US Attorney David Anderson for the
Northern District of California said in a statement.
“We will not tolerate corporate cover-ups. We will not tolerate illegal
hush money payments.”
Sullivan sought to pay off the hackers by funneling money through a “bug
bounty” program that rewards developers for revealing security
vulnerabilities without doing any harm, according to the complaint.
Uber paid the hackers $100,000 in bitcoin cryptocurrency in December 2016,
with Sullivan wanting them to sign non-disclosure agreements promising to
keep mum about the affair, prosecutors said.
Sullivan, 52, was Uber chief security officer from April 2015 to November
2017.
The criminal complaint maintains that Sullivan deceived Uber’s new chief
executive Dara Khosrowshahi, appointed in mid-2017, about the breach.
“None of this should have happened, and I will not make excuses for it,”
Khosrowshahi said after learning of the situation in late 2017.
Two members of the Uber information security team who “led the response”
that included not alerting users about the data breach were let go from the
San Francisco-based company, according to Khosrowshahi.
The Uber chief said he had learned that outsiders broke into a cloud-based
server used by the company for data and downloaded a “significant” amount of
information.
Stolen files included names, email addresses and mobile phone numbers for
riders, and the names and driver license information of some 600,000 drivers,
according to Uber.
Co-founder and ousted chief Travis Kalanick was advised of the breach
shortly after it was discovered, but it was not made public until
Khosrowshahi learned of the incident, according to an AFP source.
Two hackers identified by Uber pleaded guilty in October of 2019 to
computer fraud conspiracy charges and await sentencing, prosecutors said.
“While this case is an extreme example of a prolonged attempt to subvert
law enforcement, we hope companies stand up and take notice,” FBI deputy
special agent Craig Fair said.
“Do not help criminal hackers cover their tracks.”