Federal prosecutors have accused Uber’s former chief security officer of preventing a 2016 massive data breach by arranging to pay $ 100,000 to the hackers responsible for the attack. Personal data of 57 million Uber passengers and drivers were stolen in the hack.
Prosecutors are accusing former executive Joe Sullivan of obstructing justice and a felony for an alleged cover-up. Sullivan engaged in the plan “to prevent and conceal the violation from regulators,” according to a complaint filed in federal court in California on Thursday and failed to report it to law enforcement or the public.
Sullivan allegedly not only concealed the breach from the authorities, but also from several other Uber employees, including top management – with one exception. According to the complaint, Uber CEO Travis Kalanick at the time was aware of the incident and Sullivan reportedly took steps to cover it, including paying $ 100,000 under Uber’s “bug bounty” program.
Kalanick has not been charged. NPR has reached out to Uber, Kalanick, and Sullivan for comment.
Like many tech companies, Uber pays so-called “white hat” hackers to test their systems for vulnerabilities. But Uber paid, in this case, was much larger than any bug bounty it had previously paid, the complaint states, noting the company’s schedule was “a modest cap of $ 10,000.”
Uber required hackers to sign non-disclosure agreements, not standard practice for bug bounties, the complaint alleged. Those agreements falsely stated that hackers did not take or store any data.
“The problem is that this hush money payment wasn’t a bug bounty,” Anderson said. “We allege that this entire course of conduct [Sullivan’s] consciousness of guilt and desperation to conceal.”
Sullivan never informed the FTC about the breach
The allegation is the latest twist in a saga dating back to November 2016, when Sullivan received an email by a hacker calling himself “John Dogs”, claiming that “Uber has found a major vulnerability.” The hacker claimed that “I was able to dump the uber database and many other things,” according to the complaint.
At the time, Uber was investigated by the Federal Trade Commission for a separate 2014 breach that was carried out in the same way “John Doug’s” accessed Uber’s data. In both cases, hackers found the keys to Uber’s Amazon cloud server, where the company stored data on drivers and customers, the complaint said.
In a 2014 breach, a hacker gained access to the names and drivers licenses of about 50,000 drivers. The 2016 incursion was huge: Those hackers had the names and driver’s license numbers of around 600,000 drivers, as well as the names, email addresses, and phone numbers of 57 million passengers and drivers.
According to the complaint, after receiving John Dogs’ email, Sullivan quickly informed Kalanick that he had “something sensitive” to update him. A text message from Kalanick mentioned in the complaint that the hackers had been paid through the bug bounty program.
“The sensitivity of everything he has, the sensitivity/risk to him, and the need to gain confidence that he can actually regard it as an [bug] uncountable situation … to put it to bed. Resources can be flexible but we need to document it very tightly, ”Kalanick wrote according to the complaint.
Sullivan never told the FTC about the new breach, even though he was closely involved in responding to the agency’s investigation of the earlier hack, according to the complaint.
“Witnesses reported that Sullivan was shaken by the events,” according to the complaint. “A witness also reported that Sullivan stated in a private conversation that he could not believe they had let another breach occur and that the team had to ensure that the words of the breach did not come out.”
One year delay in reporting the hack
The breach came to full light only a year after Sullivan first came to know of it, and Kalanick was forced out only after Uber’s aggressive competitive behavior and a string of scandals over the toxic work environment. According to the complaint, Sullivan initially lied about the circumstances regarding the violation of Kalnik’s successor, Dara Khosroshahi.
In November 2017, Khosroshahi revealed the breach to the FTC, issued a public apology, and fired Sullivan.
Last year, Anderson’s office accused two people of dissolving: Brandon Glover of Winter Springs, Fla., And Vasyl Merriacre of Toronto, Canada. He pleaded guilty to computer hacking and extortion – not only in Uber intrusion but in a subsequent breach of LinkedIn’s Lynda.com learning platform.