Former Uber Exec Charged With Paying 'Hush Money' to Conceal Data Breach Federal prosecutors allege Uber's former chief security officer Joe Sullivan covered up the breach and arranged a $100,000 payment to the hackers.
NPR logo

Former Uber Executive Charged With Paying 'Hush Money' To Conceal Massive Breach

  • Download
  • <iframe src="https://www.npr.org/player/embed/904113981/904383374" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Former Uber Executive Charged With Paying 'Hush Money' To Conceal Massive Breach

Former Uber Executive Charged With Paying 'Hush Money' To Conceal Massive Breach

  • Download
  • <iframe src="https://www.npr.org/player/embed/904113981/904383374" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

AILSA CHANG, HOST:

Uber's former chief security officer is facing criminal charges for allegedly covering up a massive data breach that affected 57 million passengers and drivers. Federal prosecutors say the former executive concealed the breach from authorities and paid the hackers $100,000 to cover it up. NPR's tech correspondent Shannon Bond joins us now with more. Hey, Shannon.

SHANNON BOND, BYLINE: Hey, Ailsa.

CHANG: Hey. We should note first that Uber is a financial supporter of NPR. So, Shannon, tell us the story behind these charges.

BOND: Right. So Joe Sullivan was Uber's head of security. He was the person in charge of making sure that hackers couldn't get inside Uber's systems or steal sensitive personal data on drivers and customers. But back in 2016 two hackers did just that. They got into a database. They took driver's license numbers of some 600,000 drivers, also email addresses and phone numbers of 57 million people. David Anderson, the U.S. attorney here in northern California, brought these charges. And he says instead of reporting this breach to the authorities, Sullivan hid it. Here's what he told me.

DAVID ANDERSON: Sullivan is being charged with a corporate cover-up, and Sullivan is being charged with the payment of hush money to conceal something that should have been revealed.

BOND: Now, a spokesman for Sullivan says there's no merit to these charges. He says the hackers got identified because of Sullivan's efforts, and it was up to Uber's legal department to disclose this breach. But if convicted, Sullivan faces up to eight years in prison and fines.

CHANG: What do prosecutors mean by hush money?

BOND: Well, Uber really tried to keep this whole thing under wraps. Prosecutors allege Sullivan arranged for Uber to pay the hackers this hundred thousand dollars and signed nondisclosure agreements that said falsely that the hackers never stole any data. And they also say that Uber's CEO at the time, co-founder Travis Kalanick, knew about the breach. He knew about the plan to pay off the hackers. To be clear, Kalanick has not been charged. He declined to comment. But, you know, this whole situation is really reminiscent of these hard-charging, boundary-pushing behaviors that got Uber in trouble again and again under Kalanick's leadership.

CHANG: Right. Right. Well, I mean, Uber did eventually reveal the hack here, right?

BOND: That's right. After Kalanick was pushed out, the breach did come to light. Uber's new CEO disclosed it to authorities. He apologized. He fired Sullivan, but that was a year after Sullivan first learned about this breach. And prosecutors say that that delay had serious consequences. The hackers were able to go on and target other companies. They carried out another big breach at LinkedIn. The U.S. attorney charged two men with the hack. They pleaded guilty to criminal charges last year, and Uber says it's cooperating with the investigation.

CHANG: And while we're at it, we should also point out that Uber is in the news right now for another reason. Tell us about what's going on here in California real quick.

BOND: That's right. Uber and rival Lyft had been threatening to suspend service in California at midnight tonight. That's because last week a judge ordered them to reclassify their drivers as employees instead of independent contractors to comply with a new state labor law. The companies say they can't just flip a switch. But this afternoon they got a reprieve. An appeals court has given them more time to figure this out. They have until early September to come up with plans for how they would comply with this law if they end up losing in court.

CHANG: That is NPR's Shannon Bond. Thank you, Shannon.

BOND: Thanks.

Copyright © 2020 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.