Uber’s ex-security head paid $100,000 in Bitcoin to cover up hack, says FBI

Joseph Sullivan, the former chief security officer at Uber, has been charged with paying a $100,000 ransom in Bitcoin to cover up a hacking attack that compromised the personal data of millions of Uber users and drivers back in 2016.

The criminal complaint, announced by United States Attorney David Anderson and FBI Deputy Special Agent in Charge Craig Fair, charges Sullivan with “obstruction of justice and misprision of a felony” by failing to contact the authorities and paying the ransom instead.

A spokesperson for Sullivan said, "There is no merit to the charges against Mr. Sullivan, who is a respected cybersecurity expert and former Assistant U.S. Attorney. This case centers on a data security investigation at Uber by a large, cross-functional team made up of some of the world’s foremost security experts, Mr. Sullivan included. If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all."

"From the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies. Those policies made clear that Uber’s legal department -- and not Mr. Sullivan or his group -- was responsible for deciding whether, and to whom, the matter should be disclosed," he added.

Who hacked Uber?

According to the document, between April 2015 and November 2017, two individuals contacted Sullivan via email and “demanded a six-figure payment in exchange for silence.” To back up their demands, the hackers told the former CSO that they had gained access to Uber’s database. That database contained “personally identifying information” of about 57 million Uber users, including the drivers’ license numbers of approximately 600,000 drivers.

“Rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC [Federal Trade Commission],” stated the complaint, adding that “Sullivan sought to pay the hackers off by funneling the payoff through a bug bounty program” and “Uber paid the hackers $100,000 in Bitcoin in December 2016, despite the fact that the hackers refused to provide their true names.”

Despite their anonymity, Sullivan made the hackers sign non-disclosure agreements, falsely claiming that they didn’t steal or store any data, the document stated. Moreover, even after they were identified by Uber personnel (and subsequently arrested), Sullivan allegedly demanded that the hackers sign updated copies with their true names.

Uber’s new management discovered and publicly disclosed the security breach in November 2017, the document noted.

“Concealing information about a felony from law enforcement is a crime,” said Fair, adding that “While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”

If found guilty, Sullivan could face a maximum statutory penalty of five years in prison for the obstruction charge and a maximum of three years of prison for the misprision charge, according to the complaint.

“Silicon Valley is not the Wild West,” summarized Anderson, adding that, “We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”

Update: This article has been updated with a comment from Sullivan's spokesperson.