Former Uber CSO Charged with Covering Up Data Breach

U.S. prosecutors charged the former chief security officer (CSO) of Uber for his alleged role in an attempted cover up of a data breach of the company in 2016.

Joseph Sullivan, 52, was charged with obstruction of justice and misprision of a felony; the U.S. Department of Justice (DOJ) claims that Sullivan, while CSO of Uber, was contacted by two hackers on 14 November 2016 who demanded a six-figure payment in exchange for silence.

“The hackers ultimately revealed that they had accessed and downloaded an Uber database containing personally identifying information, or PII, associated with approximately 57 million Uber users and drivers,” according to the DOJ. “The database included the drivers’ license numbers for approximately 600,000 people who drove for Uber. The criminal complaint alleges that Sullivan took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the breach.”

The hackers sent the email to Sullivan just 10 days after he had provided testimony to the FTC about the status of Uber’s cybersecurity, in response to an inquiry about a 2014 breach. The DOJ complaint claims that Sullivan took action to prevent the FTC from knowing about this new breach, including arranging for the hackers to be paid $100,000 in Bitcoin through a bug bounty program and requiring them to sign non-disclosure agreements.

New management took over Uber in 2017, and the complaint says that Sullivan did not provide the new leadership with “critical details” about the breach. After learning more about the 2016 breach, the new management notified the FTC in 2017, disclosed the breach to the public, and paid $148 million to settle claims by U.S. states and Washington, D.C., that it was slow to disclose the breach. The hackers responsible for the breach were charged by U.S. officials and pled guilty.

Sullivan was ultimately fired from Uber and now serves as the chief information security officer for Cloudflare. A spokesperson for Sullivan sent a statement to NPR saying the charges were meritless, and that Sullivan was part of a larger team working on security at Uber at the time.

“If not for Mr. Sullivan and his team’s efforts, it’s likely that the identified individuals responsible for this incident never would have been identified at all,” the spokesperson said, instead casting blame on Uber’s legal team that ultimately decided how the 2016 breach would be disclosed.

Cloudflare Co-Founder and CEO Matthew Prince also tweeted out his support for Sullivan on Thursday, saying he was sad to see the allegations.

Sad to see Joe Sullivan allegations. Joe's had a distinguished career as a US Attorney & exec at eBay, PayPal, Facebook, Uber & Cloudflare. Anytime an opportunity arose, Joe's advocated for us to be as transparent as possible. I hope this is resolved quickly for Joe & his family.

— Matthew Prince 🌥 (@eastdakota) August 20, 2020

“Joe’s had a distinguished career as a U.S. Attorney & exec at eBay, PayPal, Facebook, Uber & Cloudflare,” Prince tweeted. “Anytime an opportunity arose, Joe’s advocated for us to be as transparent as possible. I hope this is resolved quickly for Joe & his family.”

An initial court appearance for Sullivan has not been scheduled; if convicted, he faces a maximum penalty of five years in prison for the obstruction charge and a maximum of three years for the misprision charge.

“Silicon Valley is not the Wild West,” said U.S. Attorney David L. Anderson in a statement. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”