UPDATED 22:00 EDT / AUGUST 20 2020

SECURITY

Former Uber security chief Joe Sullivan charged in coverup of 2016 data breach

Former Uber Technologies Inc. Chief Security Officer Joe Sullivan has been charged in relation to covering up a security breach in 2016 that saw the theft of data relating to some 57 million Uber passengers and drivers.

Sullivan (pictured) was charged Wednesday with obstruction of justice and “misprision” or concealment of a felony by the U.S. Attorney’s Office in the Northern District of California.

The hack took place in 2016 but did not come to light until Sullivan was fired by Uber in November 2017. Sullivan was said to have paid the hackers $100,000 to delete the data and keep the breach quiet.

Suppressing the 2016 breach is one thing, but where the story takes a twist is that Sullivan had previously played a pivotal role in responding to U.S. Federal Trade Commission inquiries in relation to Uber’s cybersecurity practices following an earlier breach in 2014. The complaint describes how Sullivan was made aware 10 days after providing testimony to the FTC of the 2016 hack but instead of informing the commission, he took deliberate steps to hide the details.

Sullivan is said to have paid the hackers by funneling the payoff through Uber’s bug bounty program and also sought to have the hackers sign nondisclosure agreements that included a false representation that the hacker did not take or store any data. The complaint also alleges that then Uber Chief Executive Officer Travis Kalanick was aware of Sullivan’s actions.

Suggestions that Kalanick was involved in the coverup emerged in November 2017 and given that he has been named as a potential co-conspirator in the complaint against Sullivan, he may face charges as well in the near future.

The complaint goes on to claim that Sullivan deceived Uber’s new management team about the breach, initially failing to provide them with critical details in August 2017. In September 2017 Sullivan briefed new Uber CEO Dara Khosrowshahi but left out key details.

The two hackers were subsequently arrested and pleaded guilty to computer fraud conspiracy charges in October. Sullivan is currently the chief information security officer of Cloudflare Inc.

“Concealing information about a felony from law enforcement is a crime,” Deputy Special Agent in Charge Craig D. Fair said in a statement. “While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers and do not cover up criminal attempts to steal people’s personal data.”

According to Reuters, the case is believed to the first time a corporate information security officer has been charged with concealing a hack.

Photo: Joe Sullivan/Twitter

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU