According to NPR, federal prosecutors have charged Uber’s former chief security officer Joe Sullivan with obstructing justice and concealing a felony. Sullivan is accused of covering up a massive 2016 data breach by arranging a $100,000 payoff to the hackers responsible for the attack. It’s estimated that personal data from 57 million Uber passengers and drivers was stolen.
According to the charges, Sullivan intentionally withheld the breach from regulators and failed to report it to law enforcement or the public: “Sullivan is being charged with a corporate cover-up and Sullivan is being charged with the payment of hush money to conceal something that should have been revealed.”
In 2016, Sullivan received an email from a hacker calling himself “John Doughs,” who claimed to have found a major vulnerability within the company’s system. At that time, Uber was already under investigation by the Federal Trade Commission for a separate data breach that was carried out in 2014. In both breaches, hackers accessed Uber’s Amazon cloud servers—which is where the company stored data on drivers and customers.
While the 2014 hack resulted in the exposure of the names and driver’s licenses of approximately 50,000 drivers, the 2016 intrusion was larger. Hackers got ahold of names and driver’s license numbers for nearly 600,000 drivers, as well as names, email addresses, and phone numbers of 57 million passengers and drivers.
Sullivan not only hid the breach from authorities, but he also concealed it from many other Uber employees, including top management. According to the complaint, however, Uber’s CEO at the time, Travis Kalanick, knew about the breach and Sullivan’s decision to make the $100,000 payout under Uber’s “bug bounty” program.
That program is supposed to be used to pay so-called “white hat” hackers to test Uber’s systems for vulnerabilities. The $100,000 payment, however, was much larger than any bug bounty previously paid. The company’s program had a nominal cap of $10,000.
Uber disclosed the breach in 2017. Matt Kallman, Uber spokesperson, discussed intent to continue to cooperate with authorities: “We continue to cooperate fully with the Department of Justice’s investigation. Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability.” If Sullivan is found guilty, he could face up to eight years in prison and potential fines of up to $500,000.
The Rideshare Law Group keeps tabs on all the latest happenings in the rideshare industry. For more information, click here to visit our blog. In the event you have a legal question pertaining to a rideshare incident, contact us to learn about your legal rights and options.