The United States Department of Justice (DOJ) announced that it had opened a case against Joseph Sullivan, the company’s former Chief Security Officer (CSO), after he allegedly paid hush money to keep details of the 2016 hack secret.
Keeping the Hack Details Secret
According to the announcement, Sullivan and Uber knew about a 2016 data breach that led to the disclosure of about 600,000 Uber drivers’ information. The hack also affected an estimated 57 million app users, with their private information at risk.
However, Sullivan allegedly tried his best to conceal some of the hacker’s details from getting to government authorities. The former CSO was accused of having paid $100,000 in Bitcoin at the time through a bug bounty program, intending to keep information about the hack quiet.
Bug bounty programs are usually used by white hat hackers who report on companies’ stringent security issues. These legitimate programs involve hackers letting companies know of faults in their systems, with the companies paying the hackers in return. Top tech firms like Apple and Samsung are known for organizing these.
Sullivan also allegedly took steps to “deflect, and mislead” the Federal Trade Commission (FTC) in their investigation — both concerning the data breach and the $100,000 he paid in hush money.
The former CSO even asked the hackers to sign non-disclosure agreements, which falsely stated that they hadn’t gotten any personal information from Uber. Despite an investigation leading to the discovery of two hackers responsible for the breach, he still asked other hackers to sign NDAs, instead of reporting the breach to the right authorities.
Per the announcement, Sullivan is now facing charges of misprision of a felony and obstruction of justice.
Sullivan on the Defensive
Sullivan has come out to deny these allegations. According to a report from Cointelegraph, his spokesperson, Bradford Williams, explained that the allegations were unfounded and without merit.
Speaking to the news source, Williams pointed out that Sullivan’s efforts were the only reason why Uber and regulators found out about the hacks in the first place. He added that the former CSO collaborated with Uber’s relevant executives and teams, and that he did all this while complying with the company’s policies.
“Those policies made clear that Uber’s legal department — and not Mr. Sullivan or his group — was responsible for deciding whether, and to whom, the matter should be disclosed,” Williams added.
Sullivan’s case is the latest in a string of company officials having to communicate with hackers using cryptocurrencies. The most common act of this is through ransomware, which will involve companies making crypto payments in exchange for a restoration of their online systems after hacker-induced downtimes.
This month, Reuters reported that travel agency CWT paid 414 BTC (about $4.5 million at the time) to ransomware attackers. The hackers had used the Ragnar Locker ransomware to disable access to over 30,000 computers and steal sensitive data.
While they initially demanded $10 million, company security officials managed to beat the price down based on claims that they had lost money due to the pandemic.