Uber’s former security chief has been charged with obstruction of justice for trying to hide a data breach from the Federal Trade Commission and Uber management, according to a statement from the Department of Justice. Joseph Sullivan, who was Uber’s chief security officer from April 2015 to November 2017, allegedly concealed the hack that occurred in October 2016, which exposed confidential data of 57 million drivers and customers, including drivers’ license information. Uber paid the hackers $100,000 in bitcoin to delete the data, according to the Justice Department. (Sullivan was later fired.)
In addition to obstruction of justice, Sullivan is charged with misprision of a felony, meaning he knew of the breach and took steps to conceal it. If convicted, he faces up to five years in prison for the obstruction charge and up to three years for the misprision charge.
The hack occurred during an investigation into a 2014 breach, and Sullivan was helping authorities with that investigation when two hackers contacted him and demanded a six-figure payment to keep the hack quiet, the Justice Department says.
“Rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC,” according to the Justice Department.
According to the charges, Sullivan tried to pay the hackers via a bug bounty program, paying the $100,000 even though the company didn’t know who the hackers were. Sullivan tried to get the hackers to sign nondisclosure agreements, which stated that the hackers didn’t take or store any of the user and driver data. Once Uber staff identified the hackers, Sullivan had them sign new copies of the NDA agreements. Uber management discovered what was happening and disclosed the breach. Since November 2016, Uber has been cooperating with the government in the investigation, according to the Department of Justice statement.
Uber did not immediately respond to a request for comment Thursday.