Federal prosecutors have charged Uber’s former chief security officer with covering up a massive 2016 data breach by arranging a $100,000 payoff to the hackers responsible for the attack. The personal data of 57 million Uber passengers and drivers was stolen in the hack.
Prosecutors are charging Joe Sullivan with obstructing justice and concealing a felony for the alleged cover-up. Sullivan “engaged in a scheme to withhold and conceal” the breach from regulators and failed to report it to law enforcement or the public, according to a complaint filed in federal court in California on Thursday.
“Sullivan is being charged with a corporate cover-up and Sullivan is being charged with the payment of hush money to conceal something that should have been revealed,” David Anderson, U.S. attorney for the Northern District of California, told NPR.
A spokesperson for Sullivan sent a statement saying there was no merit to the charges and that he was part of larger team that worked on security. “If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all,” he said. The spokesperson said Uber’s legal team, rather than Sullivan, was responsible for deciding whether and to whom the matter should be disclosed.
Uber spokesman Matt Kallman said: “We continue to cooperate fully with the Department of Justice’s investigation. Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability.”
An unusually large “bug bounty”
Sullivan not only allegedly hid the breach from authorities, but also concealed it from many other Uber employees, including top management — with one exception. According to the complaint, Uber’s CEO at the time, Travis Kalanick, knew about the incident and about the steps Sullivan took to allegedly cover it up, including making the $100,000 payout under Uber’s “bug bounty” program.
Kalanick has not been charged and wouldn’t comment for this story.
Like many tech companies, Uber pays so-called “white hat” hackers to test its systems for vulnerabilities. But the payment Uber made in this case was much larger than any bug bounty it had paid before, the complaint said, noting the company’s program “had a nominal cap of $10,000.”
Uber required the hackers to sign nondisclosure agreements, also not standard practice for a bug bounty, the complaint alleged. Those agreements falsely said that the hackers did not take or store any data.
“The problem is that this hush money payment was not a bug bounty,” Anderson said. “We allege that this entire course of conduct reflects [Sullivan’s] consciousness of guilt and desperation to conceal.”
Sullivan never notified FTC about breach
The charges are the latest turn in a saga that dates back to November 2016, when Sullivan received an email from a hacker calling himself “John Doughs,” who claimed to have found a “major vulnerability in uber.” The hacker said, “I was able to dump uber database and many other things,” according to the complaint.
At the time, Uber was under investigation by the Federal Trade Commission for a separate 2014 breach that was carried out the same way “John Doughs” accessed Uber’s data. In both cases, hackers got hold of keys to get into Uber’s Amazon cloud servers, where the company stored data on drivers and customers, the complaint said.
In the 2014 breach, a hacker gained access to the names and driver’s licenses of about 50,000 drivers. The 2016 intrusion was much larger; those hackers got hold of names and driver’s license numbers of about 600,000 drivers, as well as the names, email addresses and phone numbers of 57 million passengers and drivers.
After receiving John Doughs’ email, Sullivan quickly notified Kalanick that he had “something sensitive” to update him about, according to the complaint. A text message from Kalanick cited in the complaint discussed paying the hackers through the bug bounty program.
“Need to get certainty of what he has, sensitivity/exposure of it and confidence that he can truly treat this as a [bug] bounty situation… resources can be flexible in order to put this to bed but we need to document this very tightly,” Kalanick wrote, according to the complaint.
Sullivan never told the FTC about the new breach, even though he was closely involved in responding to the agency’s investigation of the earlier hack, according to the complaint.
“Witnesses reported Sullivan was visibly shaken by the events,” the complaint said. “A witness also reported that Sullivan stated in a private conversation that he could not believe they had let another breach happen and that the team had to make sure word of the breach did not get out.”
Yearlong delay in reporting the hack
The breach came fully to light a year after Sullivan first learned about it, and only after Kalanick was forced out following a string of scandals over Uber’s aggressive competitive behavior and toxic work environment. Sullivan initially lied about the circumstances surrounding the breach to Kalanick’s successor, Dara Khosrowshahi, according to the complaint.
In November 2017, Khosrowshahi disclosed the breach to the FTC, issued a public apology and fired Sullivan.
Uber settled with the FTC and agreed to audits of its privacy and security systems every two years for 20 years. The company also paid a record $148 million penalty to settle lawsuits brought by all 50 states and the District of Columbia.
Last year, Anderson’s office charged two men with the breach: Brandon Glover of Winter Springs, Fla., and Vasile Mereacre of Toronto. They pleaded guilty to computer hacking and extortion — not just in the Uber intrusion, but in a subsequent breach of LinkedIn’s Lynda.com learning platform.
“One of the results of the cover-up is that the hackers continued to hack other companies in a way similar to what they had done to Uber,” Anderson said. “Because the Uber hack was concealed, law enforcement was not able to respond, law enforcement was not able to take the hackers into custody, law enforcement was not able to disrupt what they were doing.”
In addition, the complaint against Sullivan alleged that the two hackers shared the Uber data they stole with a third person who has not been charged. That person could still have the data, Anderson said.
Sullivan is well-known in Silicon Valley. He has served as chief security officer at Internet security company Cloudflare since 2018. Before joining Uber in 2015, he worked at Facebook for six years, including as chief security officer.
Before moving into tech, Sullivan spent two years prosecuting computer hacking and intellectual property crimes as an assistant U.S. attorney in the Northern District of California — the office that brought the charges against him.
If he is found guilty, Sullivan faces up to eight years in prison, as well as potential fines of up to $500,000.
Editor’s note: Uber is among NPR’s financial supporters.