Uber’s ex-security chief charged with covering up 2016 hacking which exposed data of 57 million users
- Joseph Sullivan took ‘deliberate steps’ to keep authorities from learning about the hack, says the US Department of Justice
- Sullivan arranged to pay the hackers US$100,000 under Uber’s scheme for rewarding security researchers who report flaws
The US Department of Justice charged Joseph Sullivan, 52, with felony obstruction of justice, saying he took “deliberate steps” to keep the Federal Trade Commission from learning about the hack while the agency was monitoring Uber security in the wake of an earlier breach.
The case was believed to be first time a corporate information security officer has been charged with concealing a hack.
Sullivan, himself a former federal prosecutor, arranged to pay the hackers US$100,000 under Uber’s programme for rewarding security researchers who report flaws. That amount was by far the most Uber had paid through the bounty programme, which was not meant to cover theft of sensitive data.
A former chief of security at Facebook, Sullivan now works as chief information security officer at Cloudflare.
In past interviews, security staff said the Uber payout was intended to force the hackers into the open to accept the money and to ensure that the data, especially driving licence information on Uber contractors, was destroyed.