SAN FRANCISCO - The Dept of Justice announced charges Thursday against former Uber Chief Security Officer Joe Sullivan. Sullivan has been charged with obstruction of justice and misprision of a felony in connection with the attempted cover-up of the 2016 hack of Uber Technologies Incorporated.
According to the complaint, Sullivan, 52, paid hackers to conceal a data breach that threatened to expose personally identifiable information on 57 million Uber customers and drivers. The database included the drivers’ license numbers for approximately 600,000 people who drove for Uber.
Sullivan is also accused of misleading the Federal Trade Commission about an earlier hack in 2014. Uber appointed Sullivan as the officer who would share information with the FTC regarding the 2014 hack.
Instead of revealing the 2016 hack to investigators, Sullivan covered it up by paying the hackers $100,000 in BitCoin to stay quiet. Sullivan disguised the payment as a "bug bounty."
After the 2016 payment, Sullivan reviewed and submitted documents to the FTC that did not include any information about the 2016 hack.
Uber was not aware of the $100,000 payment that was paid to the hackers. When Uber appointed a new CEO in August of 2017, Sullivan briefed the new CEO a month later about the 2016 incident by email. Sullivan asked his team to prepare a summary of the incident, but after he received their draft summary, he edited it, removing details about the data that the hackers had taken and falsely stated that payment had been made only after the hackers had been identified.
Sullivan was subsequently terminated by Uber after the FTC had determined there had been another hack in 2016 that he concealed from investigators.
The two hackers identified by Uber were prosecuted in the Northern District of California. Both pleaded guilty on October 30, 2019, to computer fraud conspiracy charges and now await sentencing.
Sullivan is charged with obstruction of justice, in violation of 18 U.S.C. § 1505; and misprision of a felony, in violation of 18 U.S.C. § 4. He faces up to 8 years in prison.
A spokesperson for Joe Sullivan has sent KTVU the following statement:
"There is no merit to the charges against Mr. Sullivan, who is a respected cybersecurity expert and former Assistant U.S. Attorney.
This case centers on a data security investigation at Uber by a large, cross-functional team made up of some of the world’s foremost security experts, Mr. Sullivan included. If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all. From the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies. Those policies made clear that Uber’s legal department -- and not Mr. Sullivan or his group -- was responsible for deciding whether, and to whom, the matter should be disclosed."