Former Uber security chief to face fraud charges over hack coverup

Black cards of Uber logos lined up in a row
(Image credit: Shutterstock)

A former Uber security chief must face wire fraud charges over his alleged role in trying to cover up a 2016 hack that exposed the personal information of 57 million passengers and drivers, a federal judge said yesterday.

Uber fired its chief security officer (CSO) Joseph Sullivan, currently the chief security officer of Cloudflare, in 2017 after it emerged that the company tried to hide a huge data breach. The breach took place in October 2016 and included names and email addresses of over 50 million users of the app as well as 7 million drivers, with hackers accessing around 600,000 driver’s licence numbers. The cover-up also involved payments of $100,000 in Bitcoin to the hackers.

The US Department of Justice added three charges against Sullivan in December to an earlier indictment, according to Reuters, claiming he arranged to pay two hackers in exchange for their silence while trying to hide the hack from passengers, drivers, and the US Federal Trade Commission (FTC).

In the December indictment, it alleged that Sullivan tried to suppress discovery of the breach by having two of the hackers execute a non-disclosure agreement. It falsely stated that the hackers had neither taken nor stored Uber’s data in the 2016 breach. It also said Sullivan allegedly misrepresented to Uber’s new chief executive officer, Dara Khosrowshahi, the nature and scope of the data that was compromised, falsely suggested that the incident wasn’t a data breach, and sent an email falsely claiming that the data breach wasn’t a data breach at all, but an incident that was no more severe than other security incidents.

Now, U.S. District Judge William Orrick in San Francisco rejected Sullivan’s claim that prosecutors did not adequately allege he concealed the hacking to ensure that Uber drivers wouldn’t flee and would continue paying service fees.

Orrick also rejected the former Uber security chief’s claim that the people allegedly deceived were Uber’s then-chief executive Travis Kalanick and its general counsel, not the drivers.

RELATED RESOURCE

Six myths of SIEM

Things have changed when it comes to SIEM solutions

FREE DOWNLOAD

"Those purported misrepresentations, though not made directly to Uber drivers, were part of a larger scheme to defraud them," said Orrick, according to the indictment.

Sullivan was originally indicted in September 2020 and also faces two obstruction charges. He’s believed to be the first corporate information security officer criminally charged with concealing a hack.

Uber was fined $148 million in 2018 for failing to notify its drivers that their personal details had been hacked in 2016. The ride-hailing firm agreed on a settlement with all 50 states and the District of Columbia.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.