Uber’s ex-chief security officer charged for alleged attempt to cover up 2016 hack

David Anderson, U.S. attorney for the Northern District of California, announces charges of obstruction of justice and misprision against former Uber Chief Security Officer Joseph Sullivan, a 52-year-old Palo Alto resident. Courtesy U.S. Attorney’s Office.

Federal law enforcement authorities have charged former Uber Chief Security Officer Joseph Sullivan with obstruction of justice and misprision (deliberate concealment of a felony) in an attempted cover-up of the 2016 hack of millions of drivers’ and users’ data, the U.S. Attorney’s Office announced Thursday.

Sullivan, 52, of Palo Alto, served as the ride-sharing company’s chief security officer between April 2015 and November 2017. During this time, two hackers contacted him by email and demanded a six-figure payment in exchange for silence.

The hackers revealed they accessed and downloaded an Uber database containing personally identifying information of approximately 57 million Uber users and drivers. The database included the drivers’ license numbers for approximately 600,000 Uber drivers. Sullivan allegedly took deliberate steps to conceal, deflect and mislead the Federal Trade Commission (FTC) about the breach, according to the criminal complaint.

“Silicon Valley is not the Wild West. We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments,” David L. Anderson, U.S. Attorney for the Northern District of California, said in a statement.

“Concealing information about a felony from law enforcement is a crime,” FBI Deputy Special Agent in Charge Craig D. Fair added. “While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”

Sullivan allegedly played a pivotal role in responding to FTC inquiries about Uber’s cybersecurity. The company had been hacked in September 2014 and the FTC was gathering information about that breach.

FTC investigators demanded responses to written questions and required Uber to designate an officer to provide testimony under oath on multiple topics. Sullivan assisted in Uber’s prepared responses and provided sworn testimony. On Nov. 14, 2016, approximately 10 days after providing his testimony to the FTC in the 2014 case, Sullivan allegedly received an email from a hacker informing him that Uber had been breached again. Sullivan’s team was able to confirm the breach within 24 hours of his receipt of the email, according to the U.S. Attorney’s Office.

Sullivan did not report the breach and blackmail and allegedly took steps to prevent the FTC from learning about the hack. Federal prosecutors claim he sought to pay off the hackers by funneling the payoff through a bug bounty program, in which a third-party intermediary arranges payment to so-called “white hat” hackers who point out security issues but have not compromised data. Uber paid the hackers $100,000 in bitcoin in December 2016, despite the fact that the hackers refused to provide their true names. Sullivan also sought to have the hackers sign non-disclosure agreements, the U.S. Attorney’s Office alleges.

The agreements contained a false representation that the hackers did not take or store any data.

“When an Uber employee asked Sullivan about this false promise, Sullivan insisted that the language stay in the non-disclosure agreements. Moreover, after Uber personnel were able to identify two of the individuals responsible for the breach, Sullivan arranged for the hackers to sign fresh copies of the non-disclosure agreements in their true names. The new agreements retained the false condition that no data had been obtained,” the U.S. Attorney’s Office said.

Uber’s new management discovered and disclosed the breach publicly and to the FTC in November 2017. Uber has responded to additional government inquiries since that time, the U.S. Attorney’s Office said.

The criminal complaint also alleges Sullivan deceived Uber’s management team about the 2016 breach, in which he failed to provide the new management team with critical details about the violation. In August 2017, Uber named a new CEO whom Sullivan briefed 13 months later about the 2016 incident by email. Sullivan asked his team to prepare a summary of the incident, but he edited the draft summary when it came into his hands. His changes removed details about data the hackers took and falsely stated that payment had been made only after the hackers had been identified.

The two hackers were prosecuted in the Northern District of California. Both pleaded guilty on Oct. 30, 2019 to computer fraud conspiracy charges and await sentencing. They both targeted and successfully hacked other technology companies and users’ data after Sullivan failed to bring the Uber data breach to the attention of law enforcement, the U.S. Attorney’s Office noted.

Sullivan’s initial federal court appearance has not yet been scheduled. He faces a maximum statutory penalty of five years in prison for the obstruction charge and up to three years in prison for the misprision charge, if convicted. The case is being prosecuted by the Corporate Fraud Strike Force of the U.S. Attorney’s Office as a result of an FBI investigation.

Bradford Williams of Bradford Williams Strategic Communications, a spokesperson for Sullivan, provided the following statement to this news organization on Thursday night:

“There is no merit to the charges against Mr. Sullivan, who is a respected cybersecurity expert and former Assistant U.S. Attorney.

“This case centers on a data security investigation at Uber by a large, cross-functional team made up of some of the world’s foremost security experts, Mr. Sullivan included. If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all. From the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies. Those policies made clear that Uber’s legal department — and not Mr. Sullivan or his group — was responsible for deciding whether, and to whom, the matter should be disclosed.”