A spokesperson for Sullivan claimed had it not been for his efforts with the team, the breach would never have been discovered
In a statement released by the Department of Justice (DOJ), a former Chief Security Officer (CSO) for Uber was charged with obstruction of justice for allegedly attempting to conceal a breach in data from the Federal Trade Commission and the management of Uber.
Joseph Sullivan served as the company’s CSO from April 2015 to November 2017. He is accused of covering up a hack that happened around October 2016, which exposed the confidential information of over 57 million drivers and customers. This included information that the company collected on drivers’ licenses.
The DOJ alleged that while Sullivan was helping the authorities with the investigation, two hackers had contacted him and demanded a six-figure payment in exchange for their silence.
“Rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC,” the DOJ finished.
It added that Sullivan attempted to pay the hackers through a big bounty and tried to get the hackers to sign nondisclosure agreements as well.
Once the staff at Uber had identified the hackers, Sullivan attempted once more to have them sign a new NDA, whereupon management found out about his actions and disclosed the breach.
According to the DOJ, the company paid the hackers $100,000 in Bitcoin to delete the data. Sullivan was also fired after this incident.
Beyond being charged with obstruction of justice, Sullivan is also being accused of misprision of a felony, which means that he had knowledge of the breach when it happened and that he actively worked to conceal it.
If Sullivan is convicted, he could face up to five years in prison for obstruction, and up to three years for the misprision charge.
However, a statement from Sullivan’s spokesperson, Bradford Williams, strongly denied these charges and said that it had “no merit” against his client. Williams added that had it not been for the hard work of Sullivan and his team at Uber, “it’s likely that the individuals responsible for this incident never would have been identified at all.”
“From the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies,” Williams stated.
“Those policies made clear that Uber’s legal department — and not Mr. Sullivan or his group — was responsible for deciding whether, and to whom, the matter should be disclosed.”