Former Uber Executive Charged With Paying ‘Hush Money’ To Conceal Massive Breach

Enlarge this image

Federal prosecutors allege Uber’s former head of security organized a cover-up of a massive data breach.

Justin Sullivan/Getty Images

hide caption

toggle caption

Justin Sullivan/Getty Images

The Two-Way
Uber Data On 57 Million People Stolen In Massive Hack

«Sullivan is being charged with a corporate cover-up and Sullivan is being charged with the payment of hush money to conceal something that should have been revealed, David Anderson, U.S. Attorney for the Northern District of California, told NPR.

An unusually large «bug bounty

Sullivan not only allegedly hid the breach from authorities, but also concealed it from many other Uber employees, including top management — with one exception. According to the complaint, Uber’s CEO at the time, Travis Kalanick, knew about the incident and about the steps Sullivan took to allegedly cover it up, including making the $100,000 payout under Uber’s «bug bounty program.

Kalanick has not been charged and wouldn’t comment for this story. NPR has reached out to Uber for comment. A spokesperson for Sullivan sent a statement saying there was no merit to the charges and that he was part of larger team that worked on security. «If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all, he said. The spokesman said Uber’s legal team was responsible for deciding if and to whom the matter should be disclosed, rather than Sullivan.

Like many tech companies, Uber pays so-called «white hat hackers to test its systems for vulnerabilities. But the payment Uber made in this case was much larger than any bug bounty it had paid before, the complaint said, noting the company’s program «had a nominal cap of $10,000.

Uber required the hackers to sign non-disclosure agreements, also not standard practice for a bug bounty, the complaint alleged. Those agreements falsely said that the hackers did not take or store any data.

«The problem is that this hush money payment was not a bug bounty, Anderson said. «We allege that this entire course of conduct reflects [Sullivan’s] consciousness of guilt and desperation to conceal.

Sullivan never notified FTC about breach

The charges are the latest turn in a saga that dates back to November 2016, when Sullivan received an email from a hacker calling himself «John Doughs, who claimed to have found a «major vulnerability in uber. The hacker claimed «I was able to dump uber database and many other things, according to the complaint.

At the time, Uber was under investigation by the Federal Trade Commission for a separate 2014 breach that was carried out the same way «John Doughs accessed Uber’s data. In both cases, hackers got hold of keys to get into Uber’s Amazon cloud servers, where the company stored data on drivers and customers, the complaint said.

In the 2014 breach, a hacker gained access to the names and drivers licenses of about 50,000 drivers. The 2016 intrusion was much larger: those hackers got hold of names and drivers license numbers of about 600,000 drivers, as well as the names, email addresses and phone numbers of 57 million passengers and drivers.

After receiving John Doughs’s email, Sullivan quickly notified Kalanick that he had «something sensitive to update him about, according to the complaint. A text message from Kalanick cited in the complaint discussed paying the hackers through the bug bounty program.

«Need to get certainty of what he has, sensitivity/exposure of it and confidence that he can truly treat this as a [bug] bounty situation… resources can be flexible in order to put this to bed but we need to document this very tightly, Kalanick wrote, according to the complaint.

Sullivan never told the FTC about the new breach, even though he was closely involved in responding to the agency’s investigation of the earlier hack, according to the complaint.

«Witnesses reported Sullivan was visibly shaken by the events, the complaint said. «A witness also reported that Sullivan stated in a private conversation that he could not believe they had let another breach happen and that the team had to make sure word of the breach did not get out.

Year-long delay in reporting the hack

The breach only came fully to light a year after Sullivan first learned about it, and only after Kalanick was forced out following a string of scandals over Uber’s aggressive competitive behavior and toxic work environment. Sullivan initially lied about the circumstances surrounding the breach to Kalanick’s successor, Dara Khosrowshahi, according to the complaint.

In November 2017, Khosrowshahi disclosed the breach to the FTC, issued a public apology and fired Sullivan.

Business
Uber Pays $148 Million Over Yearlong Cover-Up Of Data Breach

Uber settled with the FTC and agreed to audits of its privacy and security systems every two years for 20 years. The company also paid a record $148 million penalty to settle lawsuits brought by all 50 states and the District of Columbia.

Last year, Anderson’s office charged two men with the breach: Brandon Glover of Winter Springs, Fla., and Vasile Mereacre of Toronto, Canada. They pleaded guilty to computer hacking and extortion — not just in the Uber intrusion, but in a subsequent breach of LinkedIn’s Lynda.com learning platform.

«One of the results of the cover-up is that the hackers continued to hack other companies in a way similar to what they had done to Uber, Anderson said. «Because the Uber hack was concealed, law enforcement was not able to respond, law enforcement was not able to take the hackers into custody, law enforcement was not able to disrupt what they were doing.

In addition, the complaint against Sullivan alleged that the two hackers shared the Uber data they stole with a third person who has not been charged. That person could still have the data, Anderson said.

Sullivan is well-known in Silicon Valley. He has served as chief security officer at internet security company Cloudflare since 2018. Before joining Uber in 2015, he worked at Facebook for six years, including as chief security officer.

Before moving into tech, Sullivan spent two years prosecuting computer hacking and intellectual property crimes as an assistant U.S. Attorney in the Northern District of California — the office that brought the charges against him.

If he is found guilty, Sullivan faces up to eight years in prison, as well as potential fines of up to $500,000.

Editor’s note: Uber is among NPR’s financial supporters.