CYFOR Blog

The Department of Justice say former Uber CSO Joe Sullivan lied to management about the data breach cover-up and paid hush money to the hackers.

The U.S. Department of Justice has charged the 52-year-old with obstruction of justice after a data breach cover-up in 2016 that exposed the details of 57 million Uber drivers and passengers.

The hackers demanded a six-figure payment in an attempt to extort Uber. To cover up the breach, Uber eventually paid the cybercriminals $100,000 (£75,000) in Bitcoin and instructed them to delete the data. This payment was disguised as a “bug bounty” reward through its HackerOne program, which is used to pay cyber-security researchers who disclose vulnerabilities so they can be fixed.

The charges against him allege that he asked the hackers to sign non-disclosure agreements, falsely stating they had not stolen any Uber data. Uber chief executive Dara Khosrowshahi disclosed the data breach in 2017 and Sullivan was fired over his role in the handling of the incident.

The charges filed by the US Department of Justice said Mr Sullivan had taken “deliberate steps” to stop the Federal Trade Commission (FTC) from finding out about the hack. He deceived Uber’s management team about the data breach and failed to provide critical details. Sullivan asked his team to prepare a summary of the incident, but after he received their draft summary, he edited it. His edits removed details about the data that the hackers had taken and falsely stated that payment had been made only after the hackers had been identified.

Further investigation revealed that the hackers were two individuals living in Canada and Florida. They pleaded guilty in October 2019, admitting that they stole information from unprotected AWS servers and then demanded payment to destroy the data.

U.S. officials expressed discontent over how the incident was addressed, particularly since the information was withheld from the FTC, which at the time was investigating a smaller cybersecurity incident suffered by the ride-sharing firm in 2014. The company eventually paid $148m to settle legal claims by all 50 US states and Washington DC.