The Department of Justice announced in a press release today that Joseph Sullivan, former Chief Security Officer of Uber
The press release discusses how rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the Federal Trade Commission (FTC). Sullivan allegedly sought to pay the hackers off by funneling the payoff through a bug bounty program—a program in which a third party intermediary arranges payment to so-called ‘white hat’ hackers who point out security issues but have not actually compromised data.
The complaint shows that between April 2015 and November 2017, Sullivan served as Uber’s Chief Security Officer (CSO). During this time, two hackers contacted Sullivan by email and demanded a six-figure payment in exchange for silence. The hackers had accessed and downloaded an Uber database containing personally identifying information ( PII) with approximately 57 million Uber users and drivers. The database included the drivers’ license numbers for approximately 600,000 people who drove for Uber. Sullivan allegedly took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the breach.
Uber actually paid the hackers $100,000 in bitcoin in December 2016, despite the fact that the hackers never gave their true names and already had the data. Sullivan even sought to have the hackers sign non-disclosure agreements. The agreements contained a false representation that the hackers did not take or store any data, which he was questioned about but still proceeded to offer the NDA with the inaccuracy in the language.
Joe Sullivan appears to be active on Twitter from time to time, and below is his profile showing his profile. In later tweets, he actually talks about being at a conference as a telling individuals what the role of a CSO is in the event of a crisis.
In 2018, Joe Sullivan had been in a closed legal proceeding where he swore that he knew of no attempts to steal trade secrets from other companies. In another Twitter post, Sullivan is shown discussion how he was at a conference providing information on what the role of a CSO is during a crisis.
The two hackers identified by Uber were prosecuted in the Northern District of California. Both pleaded guilty on October 30, 2019, to computer fraud conspiracy charges and now await sentencing. The criminal complaint makes clear that “both [hackers] chose to target and successfully hack other technology companies and their users’ data” after Sullivan failed to bring the Uber data breach to the attention of law enforcement. In sum, Sullivan was charged with obstruction of justice, in violation of 18 U.S.C. § 1505; and misprision of a felony, in violation of 18 U.S.C. § 4. Sullivan’s initial federal court appearance has not yet been scheduled.