Former Uber Security Chief Charged With Paying 'Hush Money' To Conceal Data Breach
DAVID GREENE, HOST:
Former top executive at Uber is accused of concealing a massive hack that exposed the data of 57 million drivers and passengers. He was fired and now faces criminal charges. NPR's tech correspondent Shannon Bond reports. And just to note here, Uber is an NPR financial supporter.
SHANNON BOND, BYLINE: When Joe Sullivan learned that hackers had stolen huge amounts of data from Uber back in 2016, he didn't tell regulators, law enforcement or the public. Instead, federal prosecutors allege Uber's chief security officer tried to hide it. Here's U.S. Attorney David Anderson, who filed the charges against Sullivan in federal court in Northern California.
DAVID ANDERSON: We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.
BOND: To keep the incident under wraps, prosecutors say Sullivan arranged for Uber to pay the hackers $100,000. And he had them sign nondisclosure agreements saying falsely that they never stole any data. That payment was made through Uber's bug bounty program. Many tech companies have similar programs offering rewards to so-called white hat hackers that test their systems for vulnerabilities. But Anderson says this payment was not a bug bounty. It was a cover-up.
ANDERSON: The problem isn't with a legitimate bug bounty. The problem is that this hush money payment was not a bug bounty. That's the problem.
BOND: Uber did eventually disclose the breach and fire Sullivan but not until a year later. Two men pleaded guilty to the hack last year. Now Sullivan is charged with obstructing justice and concealing a felony. A spokesman for Sullivan says there's no merit to the charges. He says it was up to Uber's legal team to report the breach. Uber says it's cooperating with the investigation. If he's convicted, Sullivan could face up to eight years in prison and $500,000 in fines.
Shannon Bond, NPR News, San Francisco.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.