+

Cookies on the Business Insider India website

Business Insider India has updated its Privacy and Cookie policy. We use cookies to ensure that we give you the better experience on our website. If you continue without changing your settings, we\'ll assume that you are happy to receive all cookies on the Business Insider India website. However, you can change your cookie setting at any time by clicking on our Cookie Policy at any time. You can also see our Privacy Policy.

Close
HomeQuizzoneWhatsappShare Flash Reads
 

Ex-Uber security head charged in connection with the cover-up of a 2016 hack that affected 57 million customers

Aug 21, 2020, 08:03 IST
Business Insider
Robert Alexander/Getty Images
  • Uber's former chief security officer, Joe Sullivan, was charged Thursday with obstruction of justice over allegations he tried to cover up a data breach in 2016.
  • A data breach at Uber in October 2016 exposed the personal data of 57 million drivers and passengers. It's reported that Sullivan and former CEO Travis Kalanick decided to pay hackers $100,000 to keep quiet.
  • The hack remained concealed until Uber's newly appointed CEO, Dara Khosrowshahi, disclosed it to the public in November 2017. Sullivan was fired shortly after.
  • US prosecutors have charged Sullivan — now chief information security officer at Cloudflare — with obstruction of justice and misprision, which hold a combined maximum of eight-years jail sentence.
Advertisement

The former head of security for Uber is facing federal charges over accusations he orchestrated an attempted cover-up of an October 2016 data breach that affected around 57 million Uber drivers and passengers.

US prosecutors announced Thursday they filed criminal charges against Joe Sullivan, the former Uber executive and current chief information security officer for Cloudflare. The prosecutors accuse Sullivan of paying hackers a ransom to keep quiet about the data breach, according to the complaint.

The New York Times, which first reported the news Thursday, says the criminal charges may be the first ever filed against an executive regarding a company's response to a data breach.

Uber's data breach wasn't made public until November 2017, nearly a year after the hack occurred. CEO Dara Khosrowshahi disclosed the news of the breach just months after filling the role at Uber, saying in a blog post that "none of this should have happened."

The new charges seem to confirm previous news reports that Sullivan and former Uber CEO Travis Kalanick arranged a deal to pay hackers $100,000 to get them to erase the data they stole — including names, email addresses, and phone numbers. The two executives then reportedly concealed the payout in Uber's financials, and failed to report the incident to regulators and customers.

Advertisement

Kalanick resigned from the company in June 2017 before the breach was disclosed. Sullivan was fired the weeks after news of the hack was made public. Multiple security managers and other leaders at Uber were also fired in the aftermath.

In a statement to Business Insider, Uber said it was continuing to "cooperate fully" with the federal investigation, and backed Khosrowshahi's breach disclosure in 2017 as "the right thing to do."

Sullivan is currently chief information security officer at web-hosting company Cloudflare, and still holds the position as of Thursday following the charges. Cloudflare CEO wrote in a tweet he was "sad" to see the allegations against Sullivan, and hoped to see the incident "resolved quickly."

Kalanick, meanwhile, was not mentioned in the Department of Justice complaint regarding the breach.

The DOJ has charged Sullivan with obstruction of justice and misprision. Together, the two criminal charges hold a maximum sentence of eight years in prison.

Advertisement

"There is no merit to the charges against Mr. Sullivan, who is a respected cybersecurity expert and former Assistant US Attorney," his spokesperson told Business Insider.

"This case centers on a data security investigation at Uber by a large, cross-functional team made up of some of the world's foremost security experts, Mr. Sullivan included," the spokesperson continued. "If not for Mr. Sullivan's and his team's efforts, it's likely that the individuals responsible for this incident never would have been identified at all. From the outset, Mr. Sullivan and his team collaborated closely with legal, communications, and other relevant teams at Uber, in accordance with the company's written policies. Those policies made clear that Uber's legal department — and not Mr. Sullivan or his group — was responsible for deciding whether, and to whom, the matter should be disclosed."

You are subscribed to notifications!
Looks like you've blocked notifications!
Next Article