The government of the United States of America has charged former Uber executive Joe Sullivan with covering up a massive data breach in 2016 by paying the hackers responsible a sum of USD 100,000 in Bitcoin in exchange for their silence. Data of approximately 57 million Uber users and drivers was leaked in this breach. It included driving license numbers of approximately 600,000 people who drove for the company. Sullivan was Uber’s chief of security between 2015 and 2017.
Announcing the criminal charges, the US Attorney in the Northern District of California said that instead of revealing the 2016 breach to law enforcement, Sullivan arranged for Uber to pay the hackers the “hush money” in form of Bitcoin.
Furthermore, Sullivan had disguised the payment by calling a “bug bounty”. “It is not a bug bounty to pay a hacker who has taken your data and is threatening to expose it,” the US Attorney said.
The US Attorney said “Silicon Valley is not the Wild West”. “We expect prompt reporting of criminal conduct […] We will not tolerate corporate cover-ups. We will not tolerate illegal hush money,” he added.
Breach was revealed to public only after a year
Although Sullivan had discovered the hack in November 2016, Uber ultimately disclosed the breach to the public only in November 2017. The US Attorney’s statement said Sullivan deceived Uber’s new management team which took over in 2017. Soon after the breach was made public, Sullivan was fired from the company.
The US Attorney went on to state that the hackers responsible for the 2016 breach were charged in 2019, and they had plead guilty. “The hackers admitted to hacking other companies using similar techniques to those used in the Uber hack. If Sullivan had promptly reported the Uber hack, those other hacks may been prevented,” he said.
The NPR reported that Sullivan, in a statement, claimed there was no merit in the charges against him. Sullivan’s spokesperson said, “If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all.”