SAN FRANCISCO (CN) — Uber’s former head of security Joseph Sullivan was charged Thursday with trying to cover-up a 2016 data breach that exposed 57 million drivers’ and passengers’ personal information.
A criminal complaint filed in the Northern District of California accuses Sullivan of paying two hackers who had contacted him by email to say they had accessed Uber’s database of 57 million email addresses and phone numbers, as well as 600,000 driver’s license numbers. He funneled a payment of $100,000 in bitcoin through Uber’s “bug-bounty” program through which “white hat” hackers are paid to search for and report security flaws.
Vasile Mereacre, 23, of Toronto, and Brandon Glover, 26, of Florida, pleaded guilty to the hack in October 2019.
Though they originally refused to provide their real names, Sullivan tried to get the hackers to sign non-disclosure agreements that said they did not steal any data. Uber did not report the breach to the Federal Trade Commission until November 2017, when new CEO Dara Khosrowshahi replaced Travis Kalanick.
Prosecutors say Sullivan also deceived Uber’s new management team about the breach, removing from a report on the incident details about the data the hackers had stolen and falsely stating that they had only been paid after they were identified. Sullivan later had the hackers sign fresh nondisclosure agreements using their real names also containing the false statement that no data had been stolen.
“Concealing information about a felony from law enforcement is a crime,” FBI Special Agent Craig Fair said in a statement from the Justice Department on Thursday. “While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”
Sullivan faces one count of obstruction of justice and one count of knowingly committing a felony, which carries a maximum combined penalty of eight years in prison.
The FTC learned in 2018 that Uber had hidden the 2016 breach from investigators, a year after it settled claims over the company’s failure to live up to promises that its customers’ data was secure. As a result, the settlement was expanded to subject Uber to civil penalties if it ever again deceives the FTC about future breaches.
Uber also agreed to pay $148 million in penalties in a multistate settlement inked in 2018.