Former Uber Technologies Inc. Chief Security Officer Joe Sullivan has been charged in relation to covering up a security breach in 2016 that saw the theft of data relating to some 57 million Uber passengers and drivers.

Sullivan (pictured) was charged Wednesday with obstruction of justice and “misprision” or concealment of a felony by the U.S. Attorney’s Office in the Northern District of California.

The hack took place in 2016 but did not come to light until Sullivan was fired by Uber in November 2017. Sullivan was said to have paid the hackers $100,000 to delete the data and keep the breach quiet.

Suppressing the 2016 breach is one thing, but where the story takes a twist is that Sullivan had previously played a pivotal role in responding to U.S. Federal Trade Commission inquiries in relation to Uber’s cybersecurity practices following an earlier breach in 2014. The complaint describes how Sullivan was made aware 10 days after providing testimony to the FTC of the 2016 hack but instead of informing the commission, he took deliberate steps to hide the details.

Sullivan is said to have paid the hackers by funneling the payoff through Uber’s bug bounty program and also sought to have the hackers sign nondisclosure agreements that included a false representation that the hacker did not take or store any data. The complaint also alleges that then Uber Chief Executive Officer Travis Kalanick was aware of Sullivan’s actions.

Suggestions that Kalanick was involved in the coverup emerged in November 2017 and given that he has been named as a potential co-conspirator in the complaint against Sullivan, he may face charges as well in the near future.

The complaint goes on to claim that Sullivan deceived Uber’s new management team about the breach, initially failing to provide them with critical details in August 2017. In September 2017 Sullivan briefed new Uber CEO Dara Khosrowshahi but left out key details.

The two hackers were subsequently arrested and pleaded guilty to computer fraud conspiracy charges in October. Sullivan is currently the chief information security officer of Cloudflare Inc.

“Concealing information about a felony from law enforcement is a crime,” Deputy Special Agent in Charge Craig D. Fair said in a statement. “While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers and do not cover up criminal attempts to steal people’s personal data.”

According to Reuters, the case is believed to the first time a corporate information security officer has been charged with concealing a hack.

Photo: Joe Sullivan/Twitter