The FBI has charged the ex-security chief of Uber for paying $100,000 worth of cryptocurrency to cover up a 2016 hack of its system that saw the personal information of 57 million users and drivers.
Specifically, the FBI says that Uber’s ex Chief Security Officer at Uber, Joseph Sullivan was allegedly paying hackers $100,000 in Bitcoin in an attempt to cover up a wide-scale data breach that impacted 57 million drivers and Uber users.
In a complaint filed to the Northern District of California, between April 2015 and November 2017, Uber’s then-chief security officer, Joseph Sullivan was contacted by two hackers demanding a “six-figure payment in exchange for silence.”
“The hackers ultimately revealed that they had accessed and downloaded an Uber database containing personally identifiable information, or PII, associated with approximately 57 million users and drivers. The database included the drivers’ license numbers for approximately 600,000 people who drove for uber.”
The criminal complaint filed alleges that Mr Sullivan “took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the breach.”
United States Attorney David L Anderson stated that “Silicon Valley is not the Wild West,” adding “we except good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments,” Anderson concluded.
FBI Deputy Special Agent, Craig D Fair has said that ““concealing information about a felony form law enforcement is a crime… while this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”
The complaint filed in the Federal Court states that after Uber was hacked in 2014, the Federal Trade Commission – FTC – asked for responses to written questions from Uber, as well as requiring an employee to testify. In November of 2016, a reported ten days after providing his testimony to the FTC, Mr Sullivan was emailed by a hacker informing him that Uber had been hacked- again.
The filing states that “Sullivan’s team was able to confirm the breach within 24 hours of his receipt of the email,” and adds that “rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC.”
“Uber paid the hackers $100,000 in BitCoin in December, 2016, despite the fact that hackers refused to provide their true names. In addition, Sullivan sought to have the hackers sign non-disclosure agreements.
For more information on an Information Security Management System like ISO 27001, click here for a free ISO 27001 Gap Analysis Checklist.
Both hackers were prosecuted in the Northern District of California and pleaded guilty to computer fraud conspiracy charges on October 30, 2019. A complaint in their case reads that “both hackers chose to target and successfully hack other technology companies and their users’ data after Sullivan failed to bring the Uber data breach to the attention of law enforcement.”
Joseph Sullivan denies the allegations of the filing.
A spokesperson for Mr Sullivan has said that “there is no merit to the charges against Mr. Sullivan, who is a respected cybersecurity expert and former Assistance U.S. Attorney. This case centers on a data security investigation by Uber at a large, cross-functional team made up of some of the world’s foremost security experts. Mr Sullivan included. If not for Mr Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all.”
The spokesperson continued to explain that “from the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies. Those policies made clear that Uber’s legal department – and not Mr Sullivan or his group – was responsible for deciding whether, and to whom, the matter should be disclosed.”
The case against Mr Sullivan will be prosecuted by the Corporate Fraud Strike Force division of the U.S. Attorney’s Office, with the help of an investigation conducted by the FBI.