Joseph Sullivan, a former Chief Security Officer at Uber, allegedly tried to cover up a 2016 hack of sensitive data by funneling a hush money payment of $100,000 in Bitcoin through a bug bounty program.
The hackers had obtained the drivers’ license numbers of roughly 600,000 Uber drivers as well as private information for roughly 57 million users.
According to an Aug. 20 announcement from the U.S. Department of Justice (DoJ), Sullivan has been charged with obstruction of justice and misprision of a felony in connection with the 2016 hack. The former CSO is accused of taking “deliberate steps to conceal, deflect, and mislead” the Federal Trade Commission (FTC) regarding the data breach and the associated $100,000 Bitcoin (BTC) hush money payment.
The DoJ accused him of preventing knowledge of the breach from being reported to the FTC by funneling the Bitcoin hush money through a bug bounty program. Ordinarily such programs are used for legitimate payments to ‘white hat’ hackers who report on a company’s security issues, not those who actually obtain unauthorized data.
“We will not tolerate illegal hush money payments,” said U.S. Attorney David Anderson. “Silicon Valley is not the Wild West.”
The agency also alleges Sullivan tried to conceal the company’s involvement in the breach by asking the hackers to sign non-disclosure agreements falsely stating they had not obtained any personal data from Uber — even while they were anonymous. When an investigation unmasked two of the individuals responsible for the breach, the DoJ alleges Sullivan still asked for the hackers to sign NDAs rather than report them.
“From the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies,” Williams stated. “Those policies made clear that Uber’s legal department — and not Mr. Sullivan or his group — was responsible for deciding whether, and to whom, the matter should be disclosed.”
Two of the hackers involved in the Uber breach pleaded guilty to charges of computer fraud conspiracy in October and are now awaiting sentencing.
Companies are increasingly being forced to deal directly with cyber criminals — though most remain within the law while doing so. Representatives from U.S.-based corporate travel firm CWT were able to negotiate a 50% discount from hackers demanding a $10 million payment after they stole sensitive files from the company in July.
More recently, the University of California conducted a week-long negotiation with a NetWalker ransomware group after it shut down seven of the institution’s servers. The university was able to convince the group to come down from $3 million to $1 million using respectful and flattering language in their chats.