Former Uber security chief to face fraud charges over hack coverup

A former Uber security chief must face wire fraud charges over his alleged role in trying to cover up a 2016 hack that exposed the personal information of 57 million passengers and drivers, a federal judge said yesterday.

Uber fired its chief security officer (CSO) Joseph Sullivan, currently the chief security officer of Cloudflare, in 2017 after it emerged that the company tried to hide a huge data breach. The breach took place in October 2016 and included names and email addresses of over 50 million users of the app as well as 7 million drivers, with hackers accessing around 600,000 driver’s licence numbers. The cover-up also involved payments of $100,000 in Bitcoin to the hackers.

The US Department of Justice added three charges against Sullivan in December to an earlier indictment, according to Reuters, claiming he arranged to pay two hackers in exchange for their silence while trying to hide the hack from passengers, drivers, and the US Federal Trade Commission (FTC).

In the December indictment, it alleged that Sullivan tried to suppress discovery of the breach by having two of the hackers execute a non-disclosure agreement. It falsely stated that the hackers had neither taken nor stored Uber’s data in the 2016 breach. It also said Sullivan allegedly misrepresented to Uber’s new chief executive officer, Dara Khosrowshahi, the nature and scope of the data that was compromised, falsely suggested that the incident wasn’t a data breach, and sent an email falsely claiming that the data breach wasn’t a data breach at all, but an incident that was no more severe than other security incidents.

Now, U.S. District Judge William Orrick in San Francisco rejected Sullivan’s claim that prosecutors did not adequately allege he concealed the hacking to ensure that Uber drivers wouldn’t flee and would continue paying service fees.

Orrick also rejected the former Uber security chief’s claim that the people allegedly deceived were Uber’s then-chief executive Travis Kalanick and its general counsel, not the drivers.

"Those purported misrepresentations, though not made directly to Uber drivers, were part of a larger scheme to defraud them," said Orrick, according to the indictment.

Sullivan was originally indicted in September 2020 and also faces two obstruction charges. He’s believed to be the first corporate information security officer criminally charged with concealing a hack.

Uber was fined $148 million in 2018 for failing to notify its drivers that their personal details had been hacked in 2016. The ride-hailing firm agreed on a settlement with all 50 states and the District of Columbia.