Uber's former chief security officer Joe Sullivan was charged by the US Federal Court on Thursday as he allegedly arranged to pay the hackers $ 10,000 to cloak a high tech heist that exposed the personal information of about 57 Million of the ride-hailing service's users and drivers data during 2016. This was first reported by the New York Times.
Two accused hackers have pleaded guilty for abetting the operation of the leak last year and are awaiting sentencing. The criminal offense complaint was filed on Thursday against Uber's former chief of security, alleging that the hackers had shared the data with the third person, who may still have it.
Sullivan, 52, who has served not only as an assistant U.S attorney in a Computer Hacking & IP Unit used to work in the same federal court office that brought the charges against him. He is based out of Palo Alto, California, and has previously been employed by unicorns like eBay, Facebook, and PayPal. The irony being, he was a member of the federal commission on enhancing national cybersecurity under President Barack Obama.
"If not for Mr. Sullivan's and his team's efforts, it's likely that the individuals responsible for this incident never would have been identified at all," the statement said. "From the outset, Mr. Sullivan and his team collaborated closely with legal, communications, and other relevant teams at Uber, in accordance with the company's written policies. Those policies made clear that Uber's legal department - and not Mr. Sullivan or his group - was responsible for deciding whether, and to whom, the matter should be disclosed," it added.
Bradford Williams, a spokesman for Sullivan who also previously worked for eBay, said in a statement there is "no merit" to the charges.
This news broke out on the same day the big news came that allowed Uber and Lyft to continue treating their drivers as independent contractors in the state in a move that will buy more time for both the companies to protect their business models in a key market.
This isn't the first time something like this has happened in Uber's history. If we dial back to 2017 when the co-founder Travis Kalanick stepped down after a slew of controversies hitting the ride-sharing company. Current CEO Dara Khosrowshahi, who has on the past occasion apologized for the same and has shown full cooperation with the investigation that led to the charges against Sullivan.
This case was managed by David Anderson who even handled the Uber case against Google which led to the criminal conviction against the former Google engineer Anthony Levandowski. Levandowisk who is serving an 18-month sentence in the federal prison pleaded guilty for stealing trade secrets after Uber acquired his startup, Otto. Having been convicted, there was no evidence found against him for using Google's trade secrets while managing Uber's self-driving car division.
"Silicon Valley is not the wild west," U.S. Attorney David Anderson said. "We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush-money payments," he added.
Sullivan is yet to be incriminated in the court for obstruction of justice and misprision of a felony. If the final verdict comes, he could face up to eight years in prison, as well as be liable to a fine of $500,000.
From the alarm of 2014's hack that was under investigation, Uber met at Sullivan's alleged instructions, the new hacker's 2016 demand of $100,000 Bitcoin payment, prosecutors alleged. Sullivan then, prosecutors say, had the hackers sign non-disclosure agreements - twice - which included a false representation that they had not taken or stored any data.
Sullivan created a diversion of this payment not tracing back to him by using a program called "bug bounty" under the legal term "white hat", where the hackers are paid if they point out a security flaw.
Uber's management "ultimately discovered the truth," despite Sullivan's alleged efforts to conceal it, the U.S. attorney's office says, and publicly announced the breach in November 2017 which led to his exit from the company. Prosecutors allege the hackers might not have infiltrated other companies if Sullivan had properly reported Uber's incident.