A former Uber executive was charged Thursday in federal court on allegations that he arranged to pay hackers $100,000 to cover up a high-tech heist that stole the personal information about 57 million of the ride-hailing serviceโs users and drivers during 2016.
Two hackers pleaded guilty in the scheme last year and are awaiting sentencing. The criminal complaint filed Thursday against Joseph Sullivan, Uber's former chief security officer, alleges that the hackers shared the data with a third person โ who may still have it.
Sullivan, 52, previously served as an assistant U.S. attorney in a Computer Hacking and IP Unit. He worked in the same federal prosecutorโs office that brought the charges against him.
Sullivan, who lives in Palo Alto, California, was also previously employed by Facebook, eBay and PayPal. He was a member of the federal Commission on Enhancing National Cybersecurity under President Barack Obama.
Bradford Williams, a spokesman for Sullivan who also previously worked for eBay, said in a statement there is โno meritโ to the charges.
โIf not for Mr. Sullivanโs and his teamโs efforts, itโs likely that the individuals responsible for this incident never would have been identified at all,โ the statement said. โFrom the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the companyโs written policies. Those policies made clear that Uberโs legal department โ and not Mr. Sullivan or his group โ was responsible for deciding whether, and to whom, the matter should be disclosed.โ
Sullivan's charges came on the same day as a California appeals court allowed Uber and Lyft to continue treating their drivers as independent contractors in the state in a decision that will give the two companies a few more months to protect their business models in a key market.
The allegations of a cover-up served as yet another reminder of Uber's sordid past under the leadership of its co-founder Travis Kalanick, who stepped down under pressure in 2017. Since then, Uber has been run by Dara Khosrowshahi, who has previously apologized for the San Francisco company's past behavior under his predecessor. Prosecutors said Uber cooperated with its investigation that led to the charges against Sullivan.
The case is being brought by the same U.S. attorney who won a criminal conviction against a former Google engineer sentenced to 18 months in federal prison earlier this month after pleading guilty to stealing trade secrets before joining Uberโs effort to build robotic vehicles. There was never any evidence that he used Googleโs trade secrets while overseeing Uberโs self-driving car division. .
Sullivan has not yet been arraigned in federal court in San Francisco. He faces up to eight years in prison, as well as $500,000 in fines, if he is convicted of obstruction of justice and misprision of a felony, a charge that alleges he deliberately concealed the commission of a crime.
โSilicon Valley is not the Wild West,โ U.S. Attorney David Anderson said in a news release. โWe expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.โ
In the wake of a 2014 hack that was under investigation by federal officials, Uber met โ at Sullivanโs alleged instructions โ the new hackersโ 2016 demand with the $100,000 Bitcoin payment, prosecutors alleged. Sullivan then, prosecutors say, had the hackers sign non-disclosure agreements โ twice โ which included a false representation that they had not taken or stored any data.
Sullivan allegedly hid the payment through what's known as a โbug bountyโ program, where so-called โwhite hatโ hackers are paid if they point out security problems but do not compromise any data.
Uber's management โultimately discovered the truth," despite Sullivan's alleged efforts to conceal it, the U.S. attorney's office says, and publicly announced the breach in November 2017. Sullivan was fired.
Prosecutors allege the hackers might not have infiltrated other companies if Sullivan had properly reported Uber's incident.
