A former Uber executive was charged Thursday in federal court on allegations that he arranged to pay hackers $100,000 to cover up a high-tech heist that stole the personal information about 57 million of the ride-hailing service’s users and drivers during 2016.
Two hackers pleaded guilty in the scheme last year and are awaiting sentencing. The criminal complaint filed Thursday against Joseph Sullivan, Uber's former chief security officer, alleges that the hackers shared the data with a third person — who may still have it.
Sullivan, 52, previously served as an assistant U.S. attorney in a Computer Hacking and IP Unit. He worked in the same federal prosecutor’s office that brought the charges against him.
Sullivan, who lives in Palo Alto, California, was also previously employed by Facebook, eBay and PayPal. He was a member of the federal Commission on Enhancing National Cybersecurity under President Barack Obama.
Bradford Williams, a spokesman for Sullivan who also previously worked for eBay, said in a statement there is “no merit” to the charges.
“If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all,” the statement said. “From the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies. Those policies made clear that Uber’s legal department — and not Mr. Sullivan or his group — was responsible for deciding whether, and to whom, the matter should be disclosed.”
Sullivan's charges came on the same day as a California appeals court allowed Uber and Lyft to continue treating their drivers as independent contractors in the state in a decision that will give the two companies a few more months to protect their business models in a key market.
The allegations of a cover-up served as yet another reminder of Uber's sordid past under the leadership of its co-founder Travis Kalanick, who stepped down under pressure in 2017. Since then, Uber has been run by Dara Khosrowshahi, who has previously apologized for the San Francisco company's past behavior under his predecessor. Prosecutors said Uber cooperated with its investigation that led to the charges against Sullivan.
The case is being brought by the same U.S. attorney who won a criminal conviction against a former Google engineer sentenced to 18 months in federal prison earlier this month after pleading guilty to stealing trade secrets before joining Uber’s effort to build robotic vehicles. There was never any evidence that he used Google’s trade secrets while overseeing Uber’s self-driving car division. .
Sullivan has not yet been arraigned in federal court in San Francisco. He faces up to eight years in prison, as well as $500,000 in fines, if he is convicted of obstruction of justice and misprision of a felony, a charge that alleges he deliberately concealed the commission of a crime.
“Silicon Valley is not the Wild West,” U.S. Attorney David Anderson said in a news release. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”
In the wake of a 2014 hack that was under investigation by federal officials, Uber met — at Sullivan’s alleged instructions — the new hackers’ 2016 demand with the $100,000 Bitcoin payment, prosecutors alleged. Sullivan then, prosecutors say, had the hackers sign non-disclosure agreements — twice — which included a false representation that they had not taken or stored any data.
Sullivan allegedly hid the payment through what's known as a “bug bounty” program, where so-called “white hat” hackers are paid if they point out security problems but do not compromise any data.
Uber's management “ultimately discovered the truth," despite Sullivan's alleged efforts to conceal it, the U.S. attorney's office says, and publicly announced the breach in November 2017. Sullivan was fired.
Prosecutors allege the hackers might not have infiltrated other companies if Sullivan had properly reported Uber's incident.