Former Uber Chief Security Officer covered up major data breach

Man holding phone displaying Uber app
Source: Stock Catalog (via Flickr)
US Department of Justice has charged Joseph Sullivan, former Chief Security Officer at Uber, with the obstruction of justice following new evidence.

By Jack Robert Stacey | Technology Editor

The US Department of Justice has charged Joseph Sullivan, former Chief Security Officer at Uber, with the obstruction of justice following new, potentially incriminating evidence of a major data breach.

As part of their ongoing investigation into Uber’s level of accountability, US Federal Prosecutors have accused Mr Sullivan of intentionally suppressing the existence of a massive data breach that occurred in 2016. The hackers, operating anonymously and remotely, accessed an Uber data base which contained the private data of approximately 57 million Uber accounts, consisting of both users and drivers; this information was later downloaded to hold the company to ransom.

US Investigators have submitted a criminal complaint that extensively outlined Mr Sullivan’s assumed involvement in the data breach which, after further questioning and evaluation, is due to be judged by San Francisco’s Federal District Court.

In summary, the criminal complaint asserts that Mr Sullivan attempted to disguise the intrusion and took “deliberate steps to conceal” the hack from Uber and the Federal Trade Commission (FTC). Mr Sullivan denies the charges raised against him.

Mr Sullivan is currently employed by California-based website-security company Cloudflare however, he was fired from his position as Chief Security Officer at the tech company back in 2017 when Uber’s Chief Executive, Dara Khosrowshahi, publicly acknowledged the data breach.

David Anderson, a U.S. Attorney for the Northern District of California, asserted that “Silicon Valley is not the Wild West” and added:

“We expect good corporate citizenship.  We expect prompt reporting of criminal conduct.  We expect cooperation with our investigations.  We will not tolerate corporate cover-ups.  We will not tolerate illegal hush money payments.”

Federal Prosecutors, as featured within the recent criminal complaint, allege that Mr Sullivan intended to pay-off the hackers to avoid backlash and that he approved the transfer of US $100,000 in Bitcoin, a transfer which was disguised as a routine “bug bounty” payment. The hackers attested that this substantial total would ensure the deletion of any Personally Identifying Information (PII) harvested from Uber’s database, a dataset that also included approximately 600,000 drivers’ license numbers for Uber drivers. This value marks the event as a major data breach.

Although the hackers operated outside of the ‘Uber Bug Bounty Programme’, they received their US $100,000 cryptocurrency payment in December 2016 and, alongside refusing to disclose their identities, they rejected a proposal to sign NDAs that falsely stated that they had not stolen Uber data.

Uber, similarly with almost every other major technology company, consistently employs the assistance of experienced ‘white hat’ hackers to highlight security risks within their websites and data bases. ‘Bug Bounties’ are commonly used as financial incentives, rewarding hackers for ethically identifying and exposing weaknesses in cyber-security so that they may be fixed by companies.

Matt Kallman, the Head of Communications at Uber recently addressed the investigation, he said:

“We continue to cooperate fully with the Department of Justice’s investigation. Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability.”

Currently, the tech company has allocated $148m to settling legal battles across the USA however, as more information is revealed by the Department of Justice’s investigation, the repercussions of the 2016 are far from over.

Jack Robert Stacey Science and Technology

Add Comment

Click here to post a comment

Your email address will not be published. Required fields are marked *