According to a criminal complaint filed in Northern California’s District Court this week, Joseph Sullivan ordered his security staff to “tightly control details about the hack, which allegedly includes lying to incoming CEO Dara Khosrowshahi about just how devastating the Uber breach was. Khosrowshahi joined on with Uber in 2017. The New York Times previously reported the charges.
Sullivan didn’t only order his security staff to not release information regarding the hack and had informed others that it was “on a need-to-know basis,” the complaint reads, but Uber also viewed the hack as white hat hacking that is included in the company’s bug bounty program, and Sullivan suggested to pay the hackers $100,000. That amount of money was far larger than anything Uber had ever paid for discovering vulnerabilities in its technology before.
Additionally, Sullivan issued a non-disclosure agreement (NDA) to the hackers that were involved in exchange for the unusual payment amount of $100,000 and purposefully hid information in the NDA about the fact that any data had been compromised.
There are more problems for Sullivan because he never disclosed information to the Federal Trade Commission during conversations with the agency about unrelated issues to the breach in 2016, the complaint says. It is also alleged that Sullivan “did not inform the Uber attorneys working on the FTC investigation either in-house or outside counsel that the breach had occurred.”
Just months after Khosrowshahi joined Uber, the breach went public and Sullivan and an Uber employee in its legal department were fired. The two people who carried out Uber hack, Vasile Mereacre and Brandon Glover and Vasile Mereacre, gave guilty pleas in court late last year, The New York Times reported.
“We continue to cooperate fully with the Department of Justice’s investigation. Our decision in 2017 to disclose the incident was not only the right thing to do, but it also embodies the principles by which we are running our business today: transparency, integrity, and accountability,” A spokesman for Uber said.
Deputy Special Agent in Charge Craig D. Fair GAVE A STATEMENT AND SAID, “Concealing information about a felony from law enforcement is a crime. While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice.”
“Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”
Kyle James Lee – The AEGIS Alliance – This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.