Uber’s chief security officer, Joe Sullivan broke the law by hushing up the theft of millions of people’s details from the app maker’s databases by hackers, prosecutors say.
Sullivan, 52, formerly of eBay, Facebook, and PayPal, was today charged with obstruction of justice and misprision – concealing knowledge of a crime from law enforcement – by the US District Attorney for Northern California, an office he briefly worked for back in the day. These come with potentially five and three-year prison sentences, respectively, and a fine of up to $250,000 apiece.
According to the government, the charges [PDF] stem from Sullivan’s efforts to cover up the 2016 security breach at Uber in which miscreants siphoned from internal databases the personal information of 57 million passengers and 600,000 drivers, including their driving license details.
The hack was significant enough that Sullivan was “visibly shaken” by the break-in, particularly after Uber had been dealing with the fallout from a 2014 cyber-intrusion, according to FBI special agent Mario Scussel.
“A witness also reported that Sullivan stated in a private conversation that he could not believe they had let another breach happen and that the team had to make sure word of the breach did not get out,” Scussel claimed in court filings this week.
We’re told that, rather than informing the Feds and publicly disclosing the security lapse, Sullivan instead sought to hush up the hack by buying the silence of the intruders with $100,000 in Bitcoins, making them sign confidentiality agreements to keep the details under wraps, and playing the whole thing off as a reward for finding a bug in Uber’s systems rather than characterizing it more accurately as a data leak.