FBI charges former Uber chief security officer with obstruction of justice following 2016 hacking incident
The Dept of Justice announced charges Thursday against former Uber Chief Security Officer Joe Sullivan. Sullivan has been charged with obstruction of justice and misprision of a felony in connection with the attempted cover-up of the 2016 hack of Uber Technologies Incorporated.
According to the complaint, Sullivan, 52, paid hackers to
conceal a data breach that threatened to expose personally identifiable
information on 57 million Uber customers and drivers. The database included the
drivers’ license numbers for approximately 600,000 people who drove for Uber.
Sullivan is also accused of misleading the Federal Trade
Commission about an earlier hack in 2014. Uber appointed Sullivan as the
officer who would share information with the FTC regarding the 2014 hack.
Instead of revealing the 2016 hack to investigators,
Sullivan covered it up by paying the hackers $100,000 in BitCoin to stay quiet.
Sullivan disguised the payment as a "bug bounty."
After the 2016 payment, Sullivan reviewed and submitted
documents to the FTC that did not include any information about the 2016 hack.
Uber was not aware of the $100,000 payment that was paid to
the hackers. When Uber appointed a new CEO in August of 2017, Sullivan briefed
the new CEO a month later about the 2016 incident by email. Sullivan asked his
team to prepare a summary of the incident, but after he received their draft
summary, he edited it, removing details about the data that the hackers had
taken and falsely stated that payment had been made only after the hackers had
been identified.
Sullivan was subsequently terminated by Uber after the FTC
had determined there had been another hack in 2016 that he concealed from
investigators.
The two hackers identified by Uber were prosecuted in the
Northern District of California. Both pleaded guilty on October 30, 2019, to
computer fraud conspiracy charges and now await sentencing.
Sullivan is charged with obstruction of justice, in
violation of 18 U.S.C. § 1505; and misprision of a felony, in violation of 18
U.S.C. § 4. He faces up to 8 years in prison.
A spokesperson for Joe Sullivan has sent KTVU the following
statement:
There is no merit to the charges against Mr. Sullivan, who
is a respected cybersecurity expert and former Assistant U.S. Attorney.
This case centers on a data security investigation at Uber
by a large, cross-functional team made up of some of the world’s foremost
security experts, Mr. Sullivan included. If not for Mr. Sullivan’s and his
team’s efforts, it’s likely that the individuals responsible for this incident
never would have been identified at all. From the outset, Mr. Sullivan and his
team collaborated closely with legal, communications and other relevant teams
at Uber, in accordance with the company’s written policies. Those policies made
clear that Uber’s legal department -- and not Mr. Sullivan or his group -- was
responsible for deciding whether, and to whom, the matter should be
disclosed."
Comments
Post a Comment