Former Uber Exec Charged With Paying 'Hush Money' To Conceal Massive Breach

Federal prosecutors have charged Uber's former chief security officer with covering up a massive 2016 data breach by arranging a $100,000 payoff to the hackers responsible for the attack. The personal data of 57 million Uber passengers and drivers was stolen in the hack. NPR reports: Prosecutors are charging the former executive Joe Sullivan with obstructing justice and concealing a felony for the alleged cover-up. Sullivan "engaged in a scheme to withhold and conceal" the breach from regulators and failed to report it to law enforcement or the public, according to a complaint filed in federal court in California on Thursday.

"Sullivan is being charged with a corporate cover-up and Sullivan is being charged with the payment of hush money to conceal something that should have been revealed," David Anderson, U.S. attorney for the Northern District of California, told NPR. Sullivan not only allegedly hid the breach from authorities, but also concealed it from many other Uber employees, including top management -- with one exception. According to the complaint, Uber's CEO at the time, Travis Kalanick, knew about the incident and about the steps Sullivan took to allegedly cover it up, including making the $100,000 payout under Uber's "bug bounty" program. Kalanick has not been charged and wouldn't comment for this story.

Like many tech companies, Uber pays so-called "white hat" hackers to test its systems for vulnerabilities. But the payment Uber made in this case was much larger than any bug bounty it had paid before, the complaint said, noting the company's program "had a nominal cap of $10,000." Uber required the hackers to sign nondisclosure agreements, also not standard practice for a bug bounty, the complaint alleged. Those agreements falsely said that the hackers did not take or store any data. "The problem is that this hush money payment was not a bug bounty," Anderson said. "We allege that this entire course of conduct reflects [Sullivan's] consciousness of guilt and desperation to conceal."

How fast can you flip to protect yourself?

[CommunityMember]

Kalanick has not been charged

Of course, when Joe Sullivan flips (and of course he will flip(*)) that will change.

(*) When the feds indict, there is rarely doubt as to whether they have the goods to obtain a conviction. The only way to try to obtain a "get out of jail" (or at least a reduced sentence) card is to flip on someone up the food chain. And, of course, Travis Kalanick is the bigger fish. No wonder Travis has no comment (his lawyers are currently preparing the spin).

Re:How fast can you flip to protect yourself?

[Chris453]

Yeah it makes no sense why the CEO wasn't charged when he also seems just as guilty as the CSO unless the feds are still building the case against him. Looks like California is the least of Uber's worries right now. The board would be smart to fire the CEO ASAP before this takes down the entire company.

BTW, Might want to sell your stock....

Re:How fast can you flip to protect yourself?

[Xenx]

Kalanick is not the current CEO. He was just the CEO at the time of events.

Re:How fast can you flip to protect yourself?

[raftpeople]

I'm pretty surprised by this, Uber has a pretty long history of honest, moral and ethical dealings in all aspects of their business.

Re:

[shentino]

Which is all the more reason for them to pay close attention to how they deal with a freshly exposed bad apple in their own ranks.

A test that sadly has been flunked by most police departmemts

attackers signed nondisclosure agreements?

[rapjr]

They extorted $100,000 from a corporation and then signed nondisclosure agreements? Wouldn't their signature reveal their identity making them susceptible to blackmail from the corporation? Did they also sign an agreement saying they wouldn't hack the computers again and extort more money? Why would the corporation ever believe them? Perhaps the NDA signature was faked?

Re:

[rapjr]

Funny! How do you enforce a click-through NDA with someone whose identity you don't know?

Hush Money' To Conceal Massive Breach

[grep -v '.*' *]

What?!? It's not Hush Money or Bug Money anything of the sort.

I'm the CSO -- all those hackers just looked at me bored and I thought I'd give them something to do. Lots and LOTS of something to do, so that that wouldn't get around to looking at ... things. Yeah, things.

And then keeping it hidden from other Senior management, that's just completely false. I hired an Uber driver to hand-deliver the messages since I didn't want them to go thru email. Just because the driver was able to go off-shift forever more after delivering that first message is not at all my fault. And yes I did give him a large tip, but I do every single driver I use -- all one of them.

Gee, I can make up excellent-sounding excuses too -- maybe *I* could be a CxO. And I hear that lately there's an opening or two. Having workers, I mean "independent contractors" driving around places that we send them; it's almost like a MMO video game where you're God. A stupid one, but a video game non-the-less. And I'm great at Pong.

What law did he break?

[misnohmer]

Does California have a criminal law on the books that companies must disclose any security breaches to authorities and all their employees as soon as they discover said breach or within some period if time which was exceeded in this case? Was this law on the books in 2016 (before Equifax disaster)? Last I checked USA does not have a legal obligation to report a crime if one is aware of it.

Re:

[Anonymous Coward]

Does California have a criminal law on the books that companies must disclose any security breaches to authorities and all their employees as soon as they discover said breach or within some period if time which was exceeded in this case?

They hide evidence from a federal investigation. That's a crime. Start at paragraph five. [justice.gov]

Re:

[misnohmer]

Was there a federal investigation which approached them and they lied in response? Source?

Been there and survived, he's toast

[onyxruby]

I survived the exact situation he's now in. I was working at a company a number of a years ago headquartered in California that had a suspected data loss event. It just so happened that I was the person who reviewed the event and then sent the first email to my management chain that confirmed that it was indeed a (significant) data loss event.

In the eyes of the state of California my email started the clock on the companies notification period. The company never notified the public like they were supposed to in the time period required by California law. They also didn't notify the federal government like they were supposed to when they lost federal data.

That email to my superiors detailing exactly what happened saved my butt. At some point someone (I don't know who) leaked the story to the news and it made headlines for quite a while. The company was sued by two different state attorney general's over the issue. The feds also got involved since federal data was among the data that went missing. Lawyers for the people who lost their data sued and they also had a field day.

My company email and computer would be forensically examined with the results reviewed by many lawyers. I ended up billing more time to the legal department over the following six months after the story broken than I did my own. Time and again I was in the clear because I had promptly notified those above me in writing about the data loss event right after discovering it.

Those at the C level don't have anyone above them and are responsible for notifying the appropriate authorities about the lost data. In this case they didn't do that and they covered it up instead. At the place I was at this cost a lot of senior leadership their jobs. I think it's safe to say the same will happen at Uber.