Federal prosecutors have charged Uber's former chief security officer with covering up a massive 2016 data breach by arranging a $100,000 payoff to the hackers responsible for the attack. The personal data of 57 million Uber passengers and drivers was stolen in the hack.
Prosecutors are charging Joe Sullivan with obstructing justice and concealing a felony for the alleged cover-up. Sullivan "engaged in a scheme to withhold and conceal" the breach from regulators and failed to report it to law enforcement or the public, according to a complaint filed in federal court in California on Thursday.
"Sullivan is being charged with a corporate cover-up and Sullivan is being charged with the payment of hush money to conceal something that should have been revealed," David Anderson, U.S. attorney for the Northern District of California, told NPR.
A spokesperson for Sullivan sent a statement saying there was no merit to the charges and that he was part of larger team that worked on security. "If not for Mr. Sullivan's and his team's efforts, it's likely that the individuals responsible for this incident never would have been identified at all," he said. The spokesperson said Uber's legal team, rather than Sullivan, was responsible for deciding whether and to whom the matter should be disclosed.
Uber spokesman Matt Kallman said: "We continue to cooperate fully with the Department of Justice's investigation. Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability."
An unusually large "bug bounty"
Sullivan not only allegedly hid the breach from authorities, but also concealed it from many other Uber employees, including top management — with one exception. According to the complaint, Uber's CEO at the time, Travis Kalanick, knew about the incident and about the steps Sullivan took to allegedly cover it up, including making the $100,000 payout under Uber's "bug bounty" program.
Kalanick has not been charged and wouldn't comment for this story.
Like many tech companies, Uber pays so-called "white hat" hackers to test its systems for vulnerabilities. But the payment Uber made in this case was much larger than any bug bounty it had paid before, the complaint said, noting the company's program "had a nominal cap of $10,000."
Uber required the hackers to sign nondisclosure agreements, also not standard practice for a bug bounty, the complaint alleged. Those agreements falsely said that the hackers did not take or store any data.
"The problem is that this hush money payment was not a bug bounty," Anderson said. "We allege that this entire course of conduct reflects [Sullivan's] consciousness of guilt and desperation to conceal."
Sullivan never notified FTC about breach
The charges are the latest turn in a saga that dates back to November 2016, when Sullivan received an email from a hacker calling himself "John Doughs," who claimed to have found a "major vulnerability in uber." The hacker said, "I was able to dump uber database and many other things," according to the complaint.
At the time, Uber was under investigation by the Federal Trade Commission for a separate 2014 breach that was carried out the same way "John Doughs" accessed Uber's data. In both cases, hackers got hold of keys to get into Uber's Amazon cloud servers, where the company stored data on drivers and customers, the complaint said.
In the 2014 breach, a hacker gained access to the names and driver's licenses of about 50,000 drivers. The 2016 intrusion was much larger; those hackers got hold of names and driver's license numbers of about 600,000 drivers, as well as the names, email addresses and phone numbers of 57 million passengers and drivers.
After receiving John Doughs' email, Sullivan quickly notified Kalanick that he had "something sensitive" to update him about, according to the complaint. A text message from Kalanick cited in the complaint discussed paying the hackers through the bug bounty program.
"Need to get certainty of what he has, sensitivity/exposure of it and confidence that he can truly treat this as a [bug] bounty situation... resources can be flexible in order to put this to bed but we need to document this very tightly," Kalanick wrote, according to the complaint.
Sullivan never told the FTC about the new breach, even though he was closely involved in responding to the agency's investigation of the earlier hack, according to the complaint.
"Witnesses reported Sullivan was visibly shaken by the events," the complaint said. "A witness also reported that Sullivan stated in a private conversation that he could not believe they had let another breach happen and that the team had to make sure word of the breach did not get out."
Yearlong delay in reporting the hack
The breach came fully to light a year after Sullivan first learned about it, and only after Kalanick was forced out following a string of scandals over Uber's aggressive competitive behavior and toxic work environment. Sullivan initially lied about the circumstances surrounding the breach to Kalanick's successor, Dara Khosrowshahi, according to the complaint.
In November 2017, Khosrowshahi disclosed the breach to the FTC, issued a public apology and fired Sullivan.
Uber settled with the FTC and agreed to audits of its privacy and security systems every two years for 20 years. The company also paid a record $148 million penalty to settle lawsuits brought by all 50 states and the District of Columbia.
Last year, Anderson's office charged two men with the breach: Brandon Glover of Winter Springs, Fla., and Vasile Mereacre of Toronto. They pleaded guilty to computer hacking and extortion — not just in the Uber intrusion, but in a subsequent breach of LinkedIn's Lynda.com learning platform.
"One of the results of the cover-up is that the hackers continued to hack other companies in a way similar to what they had done to Uber," Anderson said. "Because the Uber hack was concealed, law enforcement was not able to respond, law enforcement was not able to take the hackers into custody, law enforcement was not able to disrupt what they were doing."
In addition, the complaint against Sullivan alleged that the two hackers shared the Uber data they stole with a third person who has not been charged. That person could still have the data, Anderson said.
Sullivan is well-known in Silicon Valley. He has served as chief security officer at Internet security company Cloudflare since 2018. Before joining Uber in 2015, he worked at Facebook for six years, including as chief security officer.
Before moving into tech, Sullivan spent two years prosecuting computer hacking and intellectual property crimes as an assistant U.S. attorney in the Northern District of California — the office that brought the charges against him.
If he is found guilty, Sullivan faces up to eight years in prison, as well as potential fines of up to $500,000.
Editor's note: Uber is among NPR's financial supporters.
AILSA CHANG, HOST:
Uber's former chief security officer is facing criminal charges for allegedly covering up a massive data breach that affected 57 million passengers and drivers. Federal prosecutors say the former executive concealed the breach from authorities and paid the hackers $100,000 to cover it up. NPR's tech correspondent Shannon Bond joins us now with more. Hey, Shannon.
SHANNON BOND, BYLINE: Hey, Ailsa.
CHANG: Hey. We should note first that Uber is a financial supporter of NPR. So, Shannon, tell us the story behind these charges.
BOND: Right. So Joe Sullivan was Uber's head of security. He was the person in charge of making sure that hackers couldn't get inside Uber's systems or steal sensitive personal data on drivers and customers. But back in 2016 two hackers did just that. They got into a database. They took driver's license numbers of some 600,000 drivers, also email addresses and phone numbers of 57 million people. David Anderson, the U.S. attorney here in northern California, brought these charges. And he says instead of reporting this breach to the authorities, Sullivan hid it. Here's what he told me.
DAVID ANDERSON: Sullivan is being charged with a corporate cover-up, and Sullivan is being charged with the payment of hush money to conceal something that should have been revealed.
BOND: Now, a spokesman for Sullivan says there's no merit to these charges. He says the hackers got identified because of Sullivan's efforts, and it was up to Uber's legal department to disclose this breach. But if convicted, Sullivan faces up to eight years in prison and fines.
CHANG: What do prosecutors mean by hush money?
BOND: Well, Uber really tried to keep this whole thing under wraps. Prosecutors allege Sullivan arranged for Uber to pay the hackers this hundred thousand dollars and signed nondisclosure agreements that said falsely that the hackers never stole any data. And they also say that Uber's CEO at the time, co-founder Travis Kalanick, knew about the breach. He knew about the plan to pay off the hackers. To be clear, Kalanick has not been charged. He declined to comment. But, you know, this whole situation is really reminiscent of these hard-charging, boundary-pushing behaviors that got Uber in trouble again and again under Kalanick's leadership.
CHANG: Right. Right. Well, I mean, Uber did eventually reveal the hack here, right?
BOND: That's right. After Kalanick was pushed out, the breach did come to light. Uber's new CEO disclosed it to authorities. He apologized. He fired Sullivan, but that was a year after Sullivan first learned about this breach. And prosecutors say that that delay had serious consequences. The hackers were able to go on and target other companies. They carried out another big breach at LinkedIn. The U.S. attorney charged two men with the hack. They pleaded guilty to criminal charges last year, and Uber says it's cooperating with the investigation.
CHANG: And while we're at it, we should also point out that Uber is in the news right now for another reason. Tell us about what's going on here in California real quick.
BOND: That's right. Uber and rival Lyft had been threatening to suspend service in California at midnight tonight. That's because last week a judge ordered them to reclassify their drivers as employees instead of independent contractors to comply with a new state labor law. The companies say they can't just flip a switch. But this afternoon they got a reprieve. An appeals court has given them more time to figure this out. They have until early September to come up with plans for how they would comply with this law if they end up losing in court.
CHANG: That is NPR's Shannon Bond. Thank you, Shannon.
BOND: Thanks. Transcript provided by NPR, Copyright NPR.