Ex-Uber security chief charged with 2016 hack cover-up

Uber’s former chief security officer has been charged with paying hackers to cover up the ride hailing company’s 2016 data breach that hit nearly 57 million customers and drivers.
The US Department of Justice has filed a criminal complaint in San Francisco, charging Joseph Sullivan with “obstruction of justice and misprision of a felony in connection with the attempted cover-up of the 2016 hack at Uber”.

The Department said that instead of reporting the data breach to the Federal Trade Commission, which was already probing an earlier hack at Uber, Sullivan arranged to pay the hackers $100,000 in exchange for keeping schtum.

Sullivan was Uber’s chief security officer between April 2015 and November 2017, having previously led Facebook’s cybersecurity team.

The 2016 data breach included details such as names, email addresses and mobile phone numbers and, within that number, 600,000 drivers had their names and licence details exposed.

After stealing the data, the hackers contacted Sullivan through email and demanded a six-figure payment. The documents allege that Sullivan then arranged to pay $100,000 to the hackers under Uber’s bug bounty programme, which was not meant to cover theft of the firm’s confidential data.

Sullivan also asked the hackers to sign non-disclosure agreements that wrongly stated they had not stolen data from Uber. The complaint also alleges that then-CEO Travis Kalanick was aware of Sullivan’s actions.

Sullivan was ousted from the company after Uber recruited Dara Khosrowshahi as the new CEO in 2017. Khosrowshahi later fired another senior executive after learning the extent of the hack.

Uber had to pay $148m to settle claims by all 50 US states and Washington, that it was slow to disclose the breach. In 2018, it was also fined of more than £900,000 by UK and Dutch regulators for showing “complete disregard” for the personal information of both customers and drivers.

The ICO, which issued a £385,000 penalty, said “avoidable data security flaws” had allowed the personal details of around 2.7 million UK customers to be accessed. The records of almost 82,000 drivers based in the UK – which included details of journeys made and how much they were paid – were also taken during the incident.

In the Netherlands, where 174,000 citizens were affected, Uber was fined €600,000 (£532,000) by the Dutch data protection authority.

In his defence, Sullivan insisted he had acted with the approval of Uber’s legal department. However, if convicted, he could face up to eight years in jail.