It looks like a former Uber exec is in a spot of trouble. Joseph Sullivan – the former Chief Security Officer at Uber – has been charged with paying more than $100,000 in bitcoin to hide a data breach of the company that occurred in 2016 rather than coming forward and explaining what had happened to the right authorities.
Questions Regarding an Uber Exec’s Behavior
The attack may have compromised millions of users and drivers. Sullivan has been charged with obstruction of justice and attempting to cover the situation up. He is believed to have hidden the information from the Federal Trade Commission (FTC) by paying off alleged white hackers who did not actually do the hack or compromise the data. Rather, this payment was issued to make it seem as though the hackers were looking to fix security bugs.
A spokesman for the transportation service released the following statement:
We continue to cooperate fully with the Department of Justice’s investigation. Our decision in 2017 to disclose the incident was not only the right thing to do, but it embodies the principles by which we are running our business today: transparency, integrity and accountability.
While the hack may have occurred in 2016, Uber itself did not report the incident until November during the following year. Sullivan’s spokesperson Bradford Williams also took some time to speak to the press about the circumstances involved in the data breach. He states:
There is no merit to the charges against Mr. Sullivan, who is a respected cybersecurity expert and former assistant U.S. attorney. This case centers on a data security investigation at Uber by a large, cross-functional team made up of some of the world’s foremost security experts, Mr. Sullivan included. If not for Mr. Sullivan and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all… From the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies. Those policies made clear that Uber’s legal department and not Mr. Sullivan or his group was responsible for deciding whether, and to whom, the matter should be disclosed.
Keeping Things Hush Hush
Sullivan was in control of Uber’s security between April 2015 and November of 2017, right around when the company was first announcing the data breach. In the middle of his term, two hackers contacted him and demanded large sums of money in exchange for silence regarding customers’ and drivers’ private information. Data regarding approximately 57 million separate Uber drivers might have been downloaded by the malicious actors, including license numbers.
It was in December of 2016 when a $100,000 BTC payment was made to the hackers. He also worked to have them sign non-disclosure agreements which falsely stated that they did not possess any Uber-based information.