US charges former Uber security chief in hack cover-up
SAN FRANCISCO, – US prosecutors on Thursday charged Uber’s former security chief with covering up a hack that compromised the personal information of 57 million users and drivers. A criminal complaint accused Joseph Sullivan of trying to hide the hack from the Federal Trade Commission.
He faces a maximum sentence of eight years in prison if convicted of charges of obstructing justice and concealing a felony crime. “Silicon Valley is not the Wild West,” US Attorney David Anderson for the Northern District of California said in a statement. “We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”
Sullivan sought to pay off the hackers by funneling money through a “bug bounty” program that rewards developers for revealing security
vulnerabilities without doing any harm, according to the complaint.
Uber paid the hackers $100,000 in bitcoin cryptocurrency in December 2016, with Sullivan wanting them to sign non-disclosure agreements promising to keep mum about the affair, prosecutors said.
Sullivan, 52, was Uber chief security officer from April 2015 to November 2017. The criminal complaint maintains that Sullivan deceived Uber’s new chief executive Dara Khosrowshahi, appointed in mid-2017, about the breach.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said after learning of the situation in late 2017.
Two members of the Uber information security team who “led the response” that included not alerting users about the data breach were let go from the San Francisco-based company, according to Khosrowshahi.
The Uber chief said he had learned that outsiders broke into a cloud-based server used by the company for data and downloaded a “significant” amount of information.
Stolen files included names, email addresses and mobile phone numbers for riders, and the names and driver license information of some 600,000 drivers, according to Uber.
Co-founder and ousted chief Travis Kalanick was advised of the breach shortly after it was discovered, but it was not made public until Khosrowshahi learned of the incident, according to an AFP source.
Two hackers identified by Uber pleaded guilty in October of 2019 to computer fraud conspiracy charges and await sentencing, prosecutors said.
“While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice,” FBI deputy
special agent Craig Fair said. “Do not help criminal hackers cover their tracks.”