Joseph Sullivan also paid hackers $100,000 in Bitcoin.
Former Chief Security Officer at Uber, Joseph Sullivan has been charged with obstruction of justice after allegedly covering up a massive data breach that exposed private details of a whopping 57 million Uber accounts in October 2016.
The company was already walking on thin ice with numerous allegations pertaining to sexual harassment, federal criminal probes, and trade secret theft lawsuit. But the coup de grâce was the CSO’s deliberate efforts to conceal and mislead the data breach which also included profusely paying hackers $100,000 in Bitcoin via a bug bounty program.
According to the criminal complaint filed in the federal court, the perpetrator played a pivotal role in deluding vital facts of the incident. Uber Technologies Incorporated was hacked in September 2014. Whilst investigations ensued by the Federal Trade Commission (FTC) regarding the breach, Joseph Sullivan assisted by providing written responses and sworn testimony under oath.
See: Uber dismissive about security flaw that lets hackers bypass its 2FA
Approximately ten days after his testimony to the FTC, on November 14th, 2016, the CSO received an email from an attacker informing him about another breach. Instead of coming clean and as an attempt to cover the incident, the former CSO paid the hackers who demanded a six-figure payment.
He also instructed them to destroy the data. Not only this, but Sullivan sought a Non-Disclosure Agreement (NDA) with the attackers ostensibly asking them to deceptively claim no information or data had been breached.
However, the truth uncovered after a whole year in 2017 by the new management who made the matter public subsequently ending Sullivan’s run as the CSO.
The press release mentions his role in deceiving the new team as well. When the new CEO Dara Khosrowshahi was appointed, Sullivan briefed him about the incident via an email prepared by his team which was allegedly edited by him. He chose to remove important details and wrongly stated that the payment was paid after the team was able to identify the hackers.
It is noteworthy when the NDA was signed the hackers refused to provide their names. Nevertheless, Uber’s team was able to uncover identities and names of two hackers, Brandon Charles Glover who belonged from Florida and Vasile Mereacre from Toronto, Canada. Upon discovery, Sullivan came up with new NDA’s with their real names ensuing the same conditions.
See: Hundreds of Uber Eats User records leaked on Dark Web
The two hackers, however, were prosecuted in the Northern District of California. The department of Justice’s press release mentions that:
Both pleaded guilty on October 30, 2019, to computer fraud conspiracy charges and now await sentencing. The criminal complaint makes clear that “both [hackers] chose to target and successfully hack other technology companies and their users’ data” after Joseph Sullivan failed to bring the Uber data breach to the attention of law enforcement.
Sullivan is now charged with ‘obstruction of justice.’ If convicted, he will face a maximum statutory jail of five years in prison and a maximum of three years for the treasonable act.