The Department of Justice has announced it is charing Uber’s former Chief Security Officer (CSO) Joseph Sullivan for obstruction of justice.
The charges stem from a data breach Uber suffered in 2016, just days after Sullivan testified before the FTC about a 2014 data breach. In the 2016 data breach, hackers “accessed and downloaded an Uber database containing personally identifying information, or PII, associated with approximately 57 million Uber users and drivers. The database included the drivers’ license numbers for approximately 600,000 people who drove for Uber.”
Rather than report the new breach, Sullivan orchestrated an attempt to pay off the hackers to prevent the FTC from finding out. To cover his tracks, Sullivan funneled the money through a bug bounty program and tried to get the hackers to sign NDAs. To matters worse, the NDAs includes statements falsely indicating that no data had been taken, statements Sullivan insisted remain in the agreements.
“Uber’s new management ultimately discovered the truth and disclosed the breach publicly, and to the FTC, in November 2017,” writes the DOJ. “Since that time, Uber has responded to additional government inquiries.
“The criminal complaint also alleges Sullivan deceived Uber’s new management team about the 2016 breach. Specifically, Sullivan failed to provide the new management team with critical details about the breach. In August of 2017, Uber named a new Chief Executive Officer. In September 2017, Sullivan briefed Uber’s new CEO about the 2016 incident by email. Sullivan asked his team to prepare a summary of the incident, but after he received their draft summary, he edited it. His edits removed details about the data that the hackers had taken and falsely stated that payment had been made only after the hackers had been identified.”
The entire incident is a case study in how not to handle a data breach. At the same time, Uber’s new CEO and management team are to be commended for doing the right thing as soon as they discovered the truth.