US federal authorities have pressed charges against the former chief security officer of transportation company Uber, Joseph Sullivan, alleging he made illegal hush money payments to hackers who stole sensitive personal information in 2016.
Uber initially did not disclose the 2016 data breach that saw Canadian Vasile Mereacre and Floridan Brandon Glover access and download a database stored on Amazon Web Services, using an engineer’s credentials accidentally left on the open source repository Github.
The two were arrested and pleaded guilty in October 2019, not just to the Uber hack but other attacks on tech companies that followed their successfull data breach of the ridesharing company and ensuing payout.
Sensitive personal information for around 57 million Uber customers and drivers was stored in the database, and it included the drivers’ licence numbers of approximately 600,000 people.
US prosecutors now allege that the hackers emailed Sullivan in November 2016 to tell him that Uber had been breached.
Uber confirmed the breach but rather than report it to the Federal Trade Commission, the then CSO tried to hide the event and arrange payments to the hackers, prosecutors allege.
Sullivan sought to pay the hackers through a bug bounty program normally aimed at security researchers who ethically disclose flaws and vulnerabilities to Uber.
The former CSO is also alleged to have falsified a report on the hack and the US$100,000 payment in Bitcoin prepared for incoming chief executive Dara Khosrowshahi in 2017.
If found guilty, Sullivan faces a maximum penalty in prison.