IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Former Uber security chief to face fraud charges over hack coverup

This is thought to be the first instance of a corporate information security officer criminally charged with concealing a hack

A former Uber security chief must face wire fraud charges over his alleged role in trying to cover up a 2016 hack that exposed the personal information of 57 million passengers and drivers, a federal judge said yesterday.

Uber fired its chief security officer (CSO) Joseph Sullivan, currently the chief security officer of Cloudflare, in 2017 after it emerged that the company tried to hide a huge data breach. The breach took place in October 2016 and included names and email addresses of over 50 million users of the app as well as 7 million drivers, with hackers accessing around 600,000 driver’s licence numbers. The cover-up also involved payments of $100,000 in Bitcoin to the hackers.

The US Department of Justice added three charges against Sullivan in December to an earlier indictment, according to Reuters, claiming he arranged to pay two hackers in exchange for their silence while trying to hide the hack from passengers, drivers, and the US Federal Trade Commission (FTC).

In the December indictment, it alleged that Sullivan tried to suppress discovery of the breach by having two of the hackers execute a non-disclosure agreement. It falsely stated that the hackers had neither taken nor stored Uber’s data in the 2016 breach. It also said Sullivan allegedly misrepresented to Uber’s new chief executive officer, Dara Khosrowshahi, the nature and scope of the data that was compromised, falsely suggested that the incident wasn’t a data breach, and sent an email falsely claiming that the data breach wasn’t a data breach at all, but an incident that was no more severe than other security incidents.

Now, U.S. District Judge William Orrick in San Francisco rejected Sullivan’s claim that prosecutors did not adequately allege he concealed the hacking to ensure that Uber drivers wouldn’t flee and would continue paying service fees.

Orrick also rejected the former Uber security chief’s claim that the people allegedly deceived were Uber’s then-chief executive Travis Kalanick and its general counsel, not the drivers.

Related Resource

Six myths of SIEM

Things have changed when it comes to SIEM solutions

Whitepaper cover with black & white birds eye view of a cityscapeFree Download

"Those purported misrepresentations, though not made directly to Uber drivers, were part of a larger scheme to defraud them," said Orrick, according to the indictment.

Sullivan was originally indicted in September 2020 and also faces two obstruction charges. He’s believed to be the first corporate information security officer criminally charged with concealing a hack. 

Uber was fined $148 million in 2018 for failing to notify its drivers that their personal details had been hacked in 2016. The ride-hailing firm agreed on a settlement with all 50 states and the District of Columbia.

Featured Resources

IT best practices for accelerating the journey to carbon neutrality

Considerations and pragmatic solutions for IT executives driving sustainable IT

Free Download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize

Free download

Using application migration and modernisation to supercharge business agility and resiliency

Modernisation can propel your digital transformation to the next generation

Free Download

The strategic CFO

Why finance transformation propels business value

Free Download

Recommended

The scariest cyber security horror stories of 2022
cyber security

The scariest cyber security horror stories of 2022

22 Dec 2022
Uber says compromised third-party to blame for data breach
data breaches

Uber says compromised third-party to blame for data breach

13 Dec 2022
Uber launches infosec hiring spree after attributing breach to LAPSUS$
cyber attacks

Uber launches infosec hiring spree after attributing breach to LAPSUS$

20 Sep 2022
Uber hacked via basic smishing attack
Security

Uber hacked via basic smishing attack

16 Sep 2022

Most Popular

The big PSTN switch off: What’s happening between now and 2025?
Sponsored

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Why – and how – IP can be the hero in your digital transformation success story
Sponsored

Why – and how – IP can be the hero in your digital transformation success story

6 Mar 2023
What is GPT-4?
artificial intelligence (AI)

What is GPT-4?

15 Mar 2023