A former Uber CSO has been charged with obstruction of justice after allegedly concealing the facts of a major 2016 breach of the firm from law enforcement, regulators and senior management.
Joseph Sullivan, 52, of Palo Alto, was the car hire giant’s security supremo from April 2015 to November 2017.
The criminal complaint against him, filed in a federal court on Thursday, alleges that he failed to inform the FTC about the compromise of personally identifiable information (PII) on 57 million customers and drivers.
Ironically, he apparently received an email from the hacker informing him of the breach just 10 days after having completed testimony to the regulator about a previous 2014 breach.
Instead of coming clean, Sullivan is alleged to have paid the cyber-criminals $100,000 in Bitcoin through a bug bounty program and forced them to sign an NDA claiming falsely that no data was taken or stored.
The indictment claimed that Uber personnel were able to discover the identities of two of the attackers, whose real names were placed on the NDA.
The Department of Justice complaint said that in August 2017, Sullivan briefed Uber’s new CEO, Dara Khosrowshahi, about the incident via email, editing the summary prepared by his team. It apparently stated falsely that payment had been made only after the hackers had been identified and also removed details about the type of data taken.
Sullivan now faces one count of obstruction of justice, carrying a five-year maximum term, and one count of misprision of a felony, which could land him three years. The latter offense is one in which an individual fails to inform the authorities of a felony they know has been committed.
The two hackers pleaded guilty last October to computer fraud conspiracy charges.
“Silicon Valley is not the Wild West,” said US attorney David Anderson. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”
Casey Ellis, CTO and founder of Bugcrowd, argued that the case may have negatively influenced the public’s view of the hacking community and of bug bounties.
“Historically, hackers were strictly viewed as malevolent, but the industry’s understanding of ethical hackers within the industry has progressed within the last few years to include the much larger community,” he added.
“In fact, there’s a global community of ethical hackers who operate above board and in good faith, and are committed to helping organizations improve their security postures.”