Uber’s former Chief Security Officer (CSO) Joseph Sullivan is facing a criminal charge based on a complaint filed in federal court on August 20 by the U.S. Department of Justice (DOJ). He was charged with making an alleged payment of hush money to keep information about the 2016 hack secret.
As revealed in the criminal complaint, Sullivan was informed about a 2016 data breach in an email sent by two hackers demanding payment to keep quiet. According to the hackers, they were able to access and download an Uber database which contained personally identifying information of about 57 million Uber users and drivers.
Drivers’ license numbers of about 600,000 people who drove for Uber were in the database. It is alleged that Sullivan deliberately took steps towards concealing, deflecting, and misleading the Federal Trade Commission regarding the breach.
He allegedly paid $100,000 in Bitcoin at the time via a bug bounty program with the intention of keeping information about the breach from reaching the FTC. White hackers who are involved in reporting firm’s strict security issues often use bug bounty programs.
Bug bounty programs are legitimate programs in which hackers inform firms of their systems’ faults and the firms pay them in return. Leading tech companies such as Apple and Samsung are renowned for organizing such programs.
Sullivan went as far as asking the hackers to sign non-disclosure agreements falsely stating that they had not obtained any personal information from Uber. Through an investigation, the two hackers who breached Uber’s database were discovered but despite the discovery, Sullivan still asked other hackers to sign NDAs, instead of informing relevant authorities.
He is facing charges of misprision of a felony and obstruction of justice while he has denied these allegations. Hackers are known to hijack firms’ systems and then demand ransom in cryptocurrencies to restore their systems.