Uber’s former chief security officer has been charged for allegedly covering up a data breach that exposed the emails and phone numbers of 57 million Uber drivers and passengers.
According to Daily Mail, Joe Sullivan, 52, was charged Thursday with obstructing justice and concealing felony involvement in the 2016 hack.
The former security chief is accused of taking ‘deliberate steps to conceal, deflect, and mislead’ the Federal Trade Commission, along with his own colleagues, concerning the breach.
According to a complaint filed in a California federal court on Wednesday, Sullivan sent hackers $100,000 in Bitcoin in December 2016 in exchange for their silence before making them sign a non-disclosure agreement about the breach.
10 days after Sullivan had testified in an FTC investigation for a Uber hack that happened in September 2014, the cyberattack in question came to be known in November of 2016.
Brandon Glover, 26, and Vasile Mereacre, 23, were the two hackers identified, according to prosecutors. They demanded the six-figures after emailing Sullivan to inform him of the breach.
The hackers allegedly told the executive that they accessed and downloaded an Uber database, which contained personal identifying information of 57 million users.
Driver’s license numbers for approximately 600,000 people who drove for Uber were included in the database, according to prosecutors.
“Rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC,” prosecutors said on Thursday.
Sullivan is accused of paying the hackers off using a “bug bounty program.” This is when a third party intermediary arranges payment to ‘white hat’ hackers who gives information about security flaws for companies without hacking the data themselves.
Using bug bounties is not something that is uncommon for some tech companies; however, a six-figure payment for this particular service is not common.
Prosecutors claim Sullivan sent the money over even though the hackers refused to give their true names.
Sullivan briefed new CEO Dara Khosrowshahi about the attack after the Uber Founder and former chief executive left the tech company. The brief was referencing the 2016 attack in an email composed by his team in September 2017.
Sullivan withheld evidence by editing the message to remove that the hackers had indeed obtained data and lied saying they had only paid the men off after they were identified, prosecutors said.
Discover more from Baller Alert
Subscribe to get the latest posts sent to your email.