A 2016 data breach was reportedly concealed by Uber’s chief security officer, which exposes the data of 57 million users.
In a complaint filed on Thursday in the San Francisco District Court, the name of Joe Sullivan allegedly ‘withhold and conceal’ the hacking of data in 2016. Sullivan, who led Uber’s security team for more than two years, was also accused of paying $100,000 of Bitcoin to hackers.
The payment is part of the deal to conceal the hacking and the amount of data involved. Hackers will sign in exchange for the money and claim they have not accessed or stored any company data.
However, the hacked database contained approximately personal data of 57 million users, both drivers, and passengers. These include driver’s license numbers, names, and contact information.
Uber only disclosed the breach and payment in 2017, citing that ‘it’s the right thing to do.’ The company is cooperating with the Department of Justice (DOJ) to withhold transparency and accountability.
Obstruction of justice is among the cases charged to Sullivan for trying to cover up the data breach incident. Meanwhile, DOJ released a statement reporting detailing the incident involving Uber.
Hush Money Payments
Sullivan allegedly took deliberate steps to prevent the knowledge from leaking to the public and reaching the Federal Trade Commission (FTC). He even arranged a bug bounty program to arrange the payment to the hackers who point out security issues and not compromise data.
As for the US Attorney David Anderson who announced the charges, “We will not tolerate illegal hush money payments.”
Sullivan spokesperson Bradford Williams said there’s no merit against the charges on Sullivan, being a respected cybersecurity specialist. “If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all,” added Williams.
The mentioned two hackers were identified by the Northern District of California, who pleaded guilty on October 30, 2019. The criminal complaint stated that the two hackers successfully hack tech companies after Sullivan failed to bring the Uber data to law enforcement.
However, the issue highlighted in this case is the failure to inform the authorities about the incident and pay a bounty worth $100,000 in Bitcoin in December 2016. In line with this, when Uber disclosed the breach, the company paid another $148 million to settle the investigation.
The settlement is considered the largest multi-city breach settlement in history.