8/20/20: 10:08 pm: Editor’s Note: Bradford Williams, spokesman for Joe Sullivan, clarifies Sullivan has not been arrested, which an earlier version of this story stated. This story will be updated accordingly.
8/20/20 7:47pm: This story has been edited after receiving a statement from an Uber spokesman regarding the incident.
The Department of Justice announced in a press release today that Joseph Sullivan, former Chief Security Officer of Uber
, allegedly tried to cover up a 2016 hack that compromised data of millions of users and drivers. A criminal complaint charged Joseph Sullivan with obstruction of justice with the attempted cover-up of the 2016 hack of Uber Technologies Incorporated.
The press release discusses how rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the Federal Trade Commission (FTC). Sullivan allegedly sought to pay the hackers off by funneling the payoff through a bug bounty program—a program in which a third party intermediary arranges payment to so-called ‘white hat’ hackers who point out security issues but have not actually compromised data.
An Uber spokesman reached out to Forbes Crypto on the story with the following statement: “We continue to cooperate fully with the Department of Justice’s investigation. Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability.” A press release from Uber on November 21, 2017 shows the public disclosure made by the company.
The DOJ complaint shows that between April 2015 and November 2017, Sullivan served as Uber’s Chief Security Officer (CSO). During this time, two hackers contacted Sullivan by email and demanded a six-figure payment in exchange for silence. The hackers had accessed and downloaded an Uber database containing personally identifying information ( PII) with approximately 57 million Uber users and drivers. The database included the drivers’ license numbers for approximately 600,000 people who drove for Uber. Sullivan allegedly took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the breach.
Uber actually paid the hackers $100,000 in bitcoin in December 2016, despite the fact that the hackers never gave their true names and already had the data. Sullivan even sought to have the hackers sign non-disclosure agreements. The agreements contained a false representation that the hackers did not take or store any data, which he was questioned about but still proceeded to offer the NDA with the inaccuracy in the language.
Joe Sullivan appears to be active on Twitter from time to time. In one instance, Sullivan actually talks about being at a conference as a telling individuals what the role of a CSO is in the event of a crisis. In 2018, Sullivan had also been in a closed legal proceeding where he swore that he knew of no attempts to steal trade secrets from other companies.
The two hackers identified by Uber were prosecuted in the Northern District of California. Both pleaded guilty on October 30, 2019, to computer fraud conspiracy charges and now await sentencing. The criminal complaint makes clear that “both [hackers] chose to target and successfully hack other technology companies and their users’ data” after Sullivan failed to bring the Uber data breach to the attention of law enforcement. In sum, Sullivan was charged with obstruction of justice, in violation of 18 U.S.C. § 1505; and misprision of a felony, in violation of 18 U.S.C. § 4. Sullivan’s initial federal court appearance has not yet been scheduled.